UDP Port Traffic Filtered on PFS. Host Cannot connect with their firewall on.
Hi , First off. If you wish for me to provide more information for you to assist just please ask and I will be very happy that you are willing to help.
I will give you a quick run down on my topology.
I have a PFSense Box , With 1 WAN and 1 LAN Interface, the LAN is connected to a DD-WRT Box (WNDR4000) That has everything disabled other then the 2 AP, the WAN Port is changed to a switch port, everything on VLAN 1, This is connected to a Cisco 2960 switch for users.
The WNDR4000 is simply there to be used as a 1Gb switch for the server and a couple high bandwidth users. oh yea wifi also..
The machine having issues is a windows box, this box has many things running on it , all with Gui access on different ports ( all TCP ) everything works great. No complaints.
The Issue falls when it comes to having the TeamSpeak server, where I have never had an issue like this before (Just recently changed over from SmoothWall) . TeamSpeak runs on 3 Ports, 10011, 30033 (TCP) and 9987 (UDP) the UDP Port you can make anything you want, I have 2 running one on the default and one on port 666.
All Ports have NAT configured correctly at least in a sense where users are able to connect as long as they shut off there firewall on there host machine. Now I have searched the boards and google and I can not find anything on this issue. I also work in a networking job and asked around and everyone said what I already know…. The UDP Port is being filtered. I understand that, but in PFSense itself where is the special place to "remove the filter" or do what needs to be done to allow the UDP Traffic… I need the CLI command line for the access list I assume.. But I don't know if i'm just tired or Google really has no info on PFSense… :(
Please I have spent at least 20 hours on the Web panel and google racking my brain. This is my last hope if I cant get this to work I will have to leave PFSense and I honestly do enjoy it much more then the other distributions I have used.
Ok , So a little update and I guess bump at the same time. I have played with the box some more, re-installed re-configure… Now I had at one point a my friend advised they were able to connect with or without the firewall on , but I had another user on a different ISP only able to connect with just his firewall OFF, At this time I tried to connect myself from my local network via WAN IP.. No go. I also tried my LTE connection, No go. So I am VERY Confused because I have now broken PFSense to the point where it's breaking my brain... LOL To give a little background on myself. I do work in Break Fix Network Operations for a large corporation and I also have my CCNA and continuing studies with Cisco.
Now this is where my problem remains, This is for my stuff I have at home... I have even asked guys at work this and I need better understanding of the CLI commands for PFSense. But from what I understand all firewall related rules and NAT are stored in XML files and not directly editable by CLI? Please may someone assist me, I am VERY Stuck and would very much like to continue to use PFsense...
cmb last edited by
Not familiar with TeamSpeak. Sounds like something you're trying to forward ports inbound from the Internet for? In that case, packet capture on WAN filtering on the port in question that doesn't work, attempt to connect, stop the capture and see if it gets there. If so, switch to LAN and try again. Every possible reason port forwards won't work is outlined here:
1. NAT and firewall rules not correctly added (see How can I forward ports with pfSense?). Hint: You probably do NOT want to set a source port.
2. Firewall enabled on client machine.
3. Client machine is not using pfSense as its default gateway.
4. Client machine not actually listening on the port being forwarded.
5. ISP blocking the port being forwarded
6. Trying to test from inside your network, need to test from an outside machine.
7. Incorrect or missing Virtual IP configuration for additional public IP addresses.
8. The pfSense router is not the border router. If there is something else between pfSense and your ISP, you must also replicate port forwards and associated rules there.
9. Forwarding ports to a server behind a Captive Portal. You must add an IP bypass both to and from the server's IP in order for a port forward to work behind a Captive Portal.
So there it is #2 the problem, But where is the FIX? am I not reading close enough ??
cmb last edited by
Then the fix depends on the client firewall in question and has nothing to do with pfSense. You'll have to fix the client firewall in that case. Usually the source machine's firewall isn't an issue, but rather the destination machine's host firewall, but it's possible to be either/or/both.
It is all windows machines that are having the issue connecting. Maybe I wasn't clear in the update I put but the issue is on machines with or without the firewall turned on and they are all Windows 7 or 8 machines. I have never run into this issue with any other router/firewall dist. that I have used before.
Please can I get some more detailed information in regards to the issue. In the most simple way I can explain it this is the run down.
Clients connect to a "VOIP" style server (It's called TeamSpeak, Its just a voice chat for online gaming)…The server runs off of 3 Ports, 2 TCP 1 UDP , The ServerQuery is listening on port 10011 (TCP) and file transfers will use port 30033 (TCP)...The voice data itself listens on 9987(UDP) <---This port you can change to be whatever you want to open on your box. With the 1 "Server" Program running this can host as many Virtual servers as you wish. So you can have 100 UDP Ports for 100 Servers, Really doesn't matter.
I have changed my NAT Rules so many times now that I don't think a screenshot will do any justice as I have changed the config so many ways NOTHING has worked 100% , It's many intermittent issues (As one being FW being an Issue for some users and others not )
Please, I need for the port to listen on UDP and accept ALL Traffic on that port from WAN and LAN. Please can someone provide a rule, or a screenshot or a CLI command.
Thank you again, Rob.
here is a packet capture of 2 device that are unable to connect, one from the cloud , the other local…I have tried NAT and FW rules for both the range of udp ports i see required, all udp ports , ALL ports.. and I still end up with the same packet capture...something is being filtered..any input?
I have a similar setup actually, and have hosted a teamspeak server without an issue. I even have the same netgear wireless router. I wouldn't suggest opening 10011 to the public, as the listening service is SQL-lite and as well all know, SQL is the glory hole to the internet. If you use a web-widget or whatever to show who is on your teamspeak server, I would restrict access to 10011 to that 1 specific site's IP. Which you will need to contact the webhost to see what IP their quarries are sent out from. Been down that road too ;-P
I have my DD-WRT configured a little differently. Because I do not need all four of the switch ports on the DD-WRT, my OPT-1 (LAN in your case) connects to 1 of the four switch ports instead of the WLAN. I've disabled every service possible (DHCP, DNS etc…) on the DD-WRT so it's merely a switch / access point.
All NAT should be handled by your Pfsense box, the dd-wrt should not be firewalling or doing NAT. Double NAT will make your life suck when troubleshooting.
..just did exactly as you said…still having issues.....im so confused ....
like that screenshot I posted is hosted off the same box...so im almost 99% sure its something to do with just udp filtering but what!! lol :(
Have you tried taking the dd-wrt out of the equation? So it's just modem > pfsense > pc? Even though you've tried both with and without the windows firewall, you should continue testing with windows firewall turned off.
I'm pretty confident it's nothing to do with pfsense, I'm able to host a TS server without an issue. I can even host one when I get home for you just to verify.
Another troubleshooting idea, see if a local machine can connect to your TS server. If this still fails at least you've narrowed down the issue to the server and not pfsense.
the DDWRT is acting strictly as a switch, it's been taking out of the topology for shits and giggles, makes no difference. windows firewall on or off , no difference , i setup a 3rd nic on the pfsense box, setup rules all over again , change servers hosting Teamspeak, and it doesn't matter. It refueses the connection from the cloud only for some clients, my mobile phone being one of them.. yet it works for 1 person randomly.. everything works great with local ips.
Did you turn on logging for the ts3 firewall rule, then check the logs to see if the firewall is reacting to the rule? If nothing yields, then go into the log settings and enable logging for packets blocked by the default rule. Do you have any packages installed on pfsense? Have you tried using packet capture under diagnostics via pfsense? (diag_packet_capture.php) (I think CMB recommended this as well but you didn't say if you had tried it or not)
If you want I can export my firewall configuration (minus some details naturally) for you to look over. Maybe setup a virtual machine and load it to compare settings. I did not have to disable anything to get teamspeak working, no UDP filtering buttons to turn off etc…
*Also, could you post a screenshot of your NAT and Rules pages?