Cant for the life of me get port forwarding to work.



  • I'm trying to open 3 ports for my cod4 server. They are 20800, 20810, 28960. When I go to check if the ports are open on canyouseeme.org, it always says connection timed out.


  • LAYER 8 Global Moderator

    And what is in front of your pfsense?  99% of time a user can not get forwarding to work, is because they don't understand they are behind a double nat.

    What is the wan(internet) IP address of your pfsense?  Does it start with 10.x.x.x or 192.168.x.x or 172.16-31.x.x if so your behind a NAT – and you can forward ports on pfsense until dooms day never going to work because the traffic is never getting to pfsense to forward.



  • You've left the equivalent of a blank post… not sure what you want us to do with no information.

    For starters, we need:

    1.  Pfsense version
    2.  network map
    3.  port forwarding rules
    4.  firewall rules



  • Sorry for the late reply but, here is my network map.

    Modem > Pfsense > Wireless AP/Switch.

    My Pfsense box is 10.0.0.1.


  • LAYER 8 Global Moderator

    So your wan IP is 10.0.0.1 ???  I ask you if your WAN is private, and that is what you report?  That is a private address, or is that your LAN IP?

    What is the make and model of that "modem" you have in front of your pfsense

    What are the first 2 octets of your WAN IP on your pfsense box - go to status and look!!




  • Sorry that is the LAN IP of my Pfsense box. My WAN IP is 68.119.x.x.

    My Modem is a cisco DCP3010.


  • LAYER 8 Global Moderator

    Ok so your not behind a nat.  So then your doing the forward wrong, or there is firewall on the host.

    Is the box listening on the those ports?  Are you forwarding to the correct private IP?

    You can access those services on those ports from another machine on your lan?  Your trying to access those ports from an OUTSIDE machine right?  Your not access your public IP from another machine on your local lan?

    Post up your NATs and firewall rules!



  • Ok, so we got the network map… great... but how long are we going to drag this out?  We need the rest to help you:

    1.  Pfsense version
    2.  network map (received)
    3.  post your port forwarding rules
    4.  post your firewall rules

    also, regarding your network map... the CAT5 coming from PFsense and going to your Wireless AP/Switch... which port on your AP/switch is it plugged into... LAN or WAN?

    Lastly, what is the IP of your COD4 server?



  • Yes, I am forwarding to the correct IP and yes the box is listening. I can access the server locally just fine. Also my pfsense version is 2.0.1.

    Here are my port forwards.



    Also the cable coming from my pfsense box is going into one of the LAN ports on the switch. My IP for the cod4 server is 68.119.165.53.

    Here are my firewall rules as well.


  • LAYER 8 Global Moderator

    show us the actual nat rules in the listing, example

    Also do you have any lan rules that might be preventing it from talking back - post those.

    Also again - your trying to access from OUTSIDE your network??  Or are you trying to check with nat reflection?

    Also do you have a software/host based firewall running on that box that might prevent access from public IP?  I just did a scan of your host for the port 28960 and show it down.  But I also show that your not even answering pings.  I would allow pings when testing if your game services are going to work..  This is normally a first check before even attempting to connect to a game server.

    Starting Nmap 6.01 ( http://nmap.org ) at 2012-09-06 08:05 Central Daylight Time
    Nmap scan report for 68-119-xxx-xxx.dhcp.stpt.wi.charter.com (68.119.xxx.xxx)

    Host is up (0.038s latency).
    PORT      STATE  SERVICE
    28960/tcp closed unknown

    BTW - is the IP you posted your actual IP?  I did not post it for privacy concerns, you might want to remove that?




  • I just added LAN rules so here is the updated port forward rules.

    I'm checking with canyouseeme.org to see if the port is open on the computer where the server is running on. I don't have any firewall on the machine and windows firewall is currently off. How would I go about allowing pings? Yes, that is my ip.


  • LAYER 8 Global Moderator

    Put in a rule to allow it - how else do you think you would allow something on a firewall??  See attached example from mine.

    So question for you - do those other nats work, the ones with the aliases?  nathan and bf3 ports?

    First thing you need to do is make sure the traffic is getting to your wan, then is it going out your lan - this is a simple tcpdump to see if the traffic is getting there.

    I forward ntp into my pool.ntp server – so I started tcpdump on the wan interface em1, and then on em0 in two different ssh sessions.  I highlighted some examples of inbound ntp traffic (port 123) on my wan 24.13.x.x and then you can see it on the lan em0 being forwarded to 192.168.1.40

    You can also see on the lan some ipv6 traffic coming from the outside, this is through a tunnel to hurricane electric which is why you don't see the traffic on the em1 capture.






  • As far as I know those other port forwards work. I did a tcpdump on the wan adapter and then I ran a port scan with canyouseeme.org. Here are the results. It wouldn't come back with anything when I started up the server, only when I ran a port check. Sorry for the crappy quality.

    Here are the results when I ran the same test on the LAN adapter.


  • LAYER 8 Global Moderator

    So you see there is traffic being sent out your lan port, that means the forward worked..  What seems odd is the source port is same as destination port??  But sure its possible.

    Pfsense put the traffic on your lan interface from 77.7.139.21.28960 to 10.0.0.34.28960, means forward worked.  So where is return traffic?  I would sniff on your 10.0.0.34 box, are you not seeing the traffic there?

    From your shots there, curious why not seeing the traffic back on your lan port, your capture is for dst port - so the answer back should of been captured.

    So why the nonsense camera shots of a monitor at different times?  Can you not ssh to your pfsense box from some machine on network, ie the one your posting from and do the captures at the same time and then just copy your screen?

    Why is it tcp in one capture and UDP in the other?

    I have no idea what your trying to say here
    "It wouldn't come back with anything when I started up the server, only when I ran a port check"



  • @Tweeteh:

    I'm trying to open 3 ports for my cod4 server. They are 20800, 20810, 28960. When I go to check if the ports are open on canyouseeme.org, it always says connection timed out.

    Try:

    Firewall > NAT > Outbound
    Source: 10.0.0.34/32
    Destination: ANY

    Reset pfsense

    Let us know.


Log in to reply