Another Port Forwarding Post



  • OK so yesterday I decided to start building my router and like every other n00b out there I can not seem to get any of my forwarding working. I have spent the last 2 days reading and watching youtube till my eyes bleed. I don't know if something is just getting lost in translation or I'm just so beat to death that I'm not comprehending what I'm doing anymore. That all said here is what I'm trying to do and what I'm trying to do it with.

    ISP:
    ATT UVerse
    ATT modem/router
    The PC:
    PCI gigabit Lan card - Set as WAN
    On Board Lan - Set as Lan

    The Network:
    ATT set to DMZ Plus >
    PFSense gigabit Lan Card with public IP 76.233.x.x >
    On Board Lan connected to 8 Port gigabit switch

    Connected to the switch:
    PC 1 - running windows 7 as well as VirtualBox which is running a LAMP server for my websites.
    PC 1 Actual IP is 192.168.1.70 / VirtualBox IP is 192.168.1.104
    CCTV DVR - IP 192.168.1.103

    The problem, I cant seem to get port 80 opened for the VirtualBox LAMP server and can not get the DVR port open either. If I try to access the DVR from my cell using 3g it just times out and says it cant connect If I try to connect to my web server then I get a 502 Bad Gateway error. If I try to connect to the web server from with in the network (PC 1) it trys to connect through HTTPS and I get a 501 Potential DNS Rebind Attack Detected.

    So what exactly am I missing here, I know I'm a n00b and am only used to using a ISP router but it just cant be this difficult

    Here are some attached screen shots of the firewall info.







  • LAYER 8 Global Moderator

    And does your ISP allow 80 inbound, many isp block such a port because your not suppose to be running servers.

    As to your catv you sure its only udp 9000?  I find that unlikely actually..  That is would only be UDP to do what watch what is on the your DVR?

    The lan rule is pointless for your port 9000, but on that you have it set to udp/tcp.  The rule above it allows your lan devices to answer back and talk to the internet.  Even if you discount the state that pfsense will create when it forwards the traffic.

    Pick another port that is unlikely to be blocked.  Your rights that difficult, you create a nat rule and bam your ports are open - have never had issue one in creating a nat other than to virtual machine where pfsense was running on the same lan interface and was trying to forward to the same interface, etc.

    Troubleshooting port forwards is pretty straight up.  Is you box your forwarding listening, are you forwarding to the correct IP, port, protocol.

    Does the traffic get to your pfsense wan, does it leave your pfsense lan?  Does it get to your box your forwarded too.  All of which can be checked with simple sniff 2 of which on pfsense itself, if you see it leave your lan on pfsense - then issues is mostly firewall on host your forwarding too.  Or that host is using a different gateway than your pfsense lan interface IP.

    http://doc.pfsense.org/index.php/Port_Forward_Troubleshooting



  • ISP allows inbound port 80, I have been running my web server for years with out issue. Its a CCTV dvr not a CATV dvr, yes it is port 9000 UDP, it allows me to view the cameras on my mobile device. It has also been running for the last 2 years with out issue. Only after I hooked everything up to the PFSense box did things stop working. If i hook everything back up to the ATT box like it originally was then everything works just fine.

    The When i set up the LAN rule i was at the point to where i was just adding what i could to see if it would work as I'm new to this and have since deleted it since you mentioned it was not needed.

    I have cleared the log and tried to access the web server but all the log shows is blocked UDP and nothing for TCP or anything coming in or out on port 80 not to mention I'm not even sure I'm looking in the right spot more-less reading it right.



  • LAYER 8 Global Moderator

    Well if you not getting traffic to your pfsense, how could it forward it.  I would have to think your ATT box is blocking.

    Vs looking at the log, which wouldn't show you anything if not getting there or if passed - fire up a sniff!  Under diag, then do a test from something like canyouseeme.org or your phone, etc.

    if you don't see the traffic, then how can pfsense forward it.



  • I don't see a snif under diagnostics or what exactly do you use to accomplish this?


  • LAYER 8 Global Moderator

    packet capture!

    Also what is the model number of this CCTV dvr - I find it hard to believe that all you need is udp 9000.  1 port inbound on UDP, does not seem to sound right for viewing anything.



  • ok here is a capture I just did. I also changed it to lan and put the web server address in while trying to access it from my phone and got no results.

    On the CCTV DVR. it was TCP. I went back on DBL checked the old firewall on the att box and realized that there was a UDP rule for something else just under it and i guess cross eyed it..

    ![Wan Capture.JPG](/public/imported_attachments/1/Wan Capture.JPG)
    ![Wan Capture.JPG_thumb](/public/imported_attachments/1/Wan Capture.JPG_thumb)


  • LAYER 8 Global Moderator

    And that looks like you talking to 199.47.216.144 to me, not inbound traffic to you on 80

    Since that is dropbox
    ;; QUESTION SECTION:
    ;144.216.47.199.in-addr.arpa.   IN      PTR
    ;; ANSWER SECTION:
    144.216.47.199.in-addr.arpa. 2652 IN    PTR     sjc-not1.sjc.dropbox.com.

    Create some traffic from a KNOWN IP..  So for example I show canyouseeme.org here – now you know the IP the traffic should be coming from, then create the traffic on your port.  80 going to be lots of traffic in an out of your box..  But that is your box talking to dropbox if you ask me, not inbound unsolicited traffic.




  • This morning i placed my PC 1 with the Virtualbox web server back on to the ATT router in the DMZ mode, The same way the PFSense box is. I am able to get to the website now with out issue and canyouseeme.org reports that it can see me on port 80.

    This would lead me to believe that something in the PF box is not working properly. It lets outbound traffic out but no inbound apparently.

    So being new to this where should i look to fix this? Could it be the configuration of the WAN card, LAN card? I know its got to be something simple and im just missing it.. I even went as far last night as changing the IP scheme of the ATT box to a 172.x.x.x network because even though pfsense was in the dmz i thought maybe the 2 networks have the same ip layout was causing problems.

    I know dealing with n00bs can be a pain but the help is appreciated.


  • LAYER 8 Global Moderator

    And again!!!  If your not seeing the traffic on PFSENSE, there is nothing you can do on pfsense to forward something that is NOT THERE!!

    So DMZ mode your fowarding to what?  What IP address does pfsense get on its wan?  Again if you can not see the traffic from canyouseeme.org its something on your box in front of pfsense, not pfsense that is your problem.

    You state you "ATT box to a 172.x.x.x network because even though "

    Sure sounds like double NAT to me..  Put your ATT box in bridge mode so that pfsense gets a PUBLIC IP, if that does not work - then what is pfsense wan IP?  Access your ATT box and directly forward your port 80 to that IP, then on pfsense forward to what you want.

    You state pfsense has public IP 76.233.x.x , are you gettingthat via dhcp, or are you setting it??

    So I have seen this issue with dmz mode, if you have other forward.  Lets say I have 192.168.1.10 and .20 as private behind a Nat device.  And I forward port 80 to .10 and put .20 in dmz..  .20 never sees any 80 traffic because its forwarded to .10  Could that be your problem with this dmz mode you mention and how it works when your connecting to your att box directly.

    edit: Another thing that confuse some people - if their device in front of pfsense is in bridge mode, and pfsense is getting a wan IP from dhcp server at the isp.  When they change in pfsense for the pc or whatever that IP can not change because of different mac.  So what they thought was their public ip before, is no longer their public IP.  And when they switch in the other device they get their old IP back again..

    You need to verify your public IP, and you need to verify that pfsense is seeing the traffic before you look to why pfsense is not forwarding anything.



  • Ok. The 76.233.x address is the public ip that of sense gets when it's connected to the AT&T box which is in dmz mode. If I have web server connected to the pfsens box then the web server gets no traffic. If I take the pfsens box out of the network and place the web server in the dmz of the AT&T box then traffic to the web server passes just fine.

    So what I don't understand is if the web server works fine on the AT&T box in the same dmz mode as the pfsense box but then don't work when the web server is going through pfsense when the pfsense box is connected to the dmz port of the AT&T box then how can it not be a pf problem. Server works in front of it just fine. Just not after.

    My 76.233.x address is the public up from AT&T I have had that same ip for 10 years. When the AT&T box is put in dmz mode it assigned that ip to that device that sits on the dmz.

    I can sit and look at the logs all day. But I still can not tell you what I'm looking at. I don't know how to read the log properly. This is all new to me and I'm only doing it to learn something new. But I'm not learning anything other but where the beer and ibuprofen is

    I'll try some more tonight. I'm posting this on my iPhone so I may not have covered everything.


  • LAYER 8 Global Moderator

    Not sure what you going to try, port forwards take like 2 seconds.. You create the NAT pfsense it creates that and the firewall rule, unless your unchecking for it to do that.

    From what you posted - there was NO inbound traffic to your pfsense IP to port 80.. That traffic there was something talking to dropbox.com  Mostly a box behind pfsense.

    I already showed how simple it is to verify your traffic..  Start a sniff on your wan interface.. generate some traffic on canyouseeme for some ODD port so you can see that traffic and IP it comes from, then create traffic to port 80..  Do you see inbound from that same canyouseeme IP to port 80 from some random source port?

    So when you connect this box directly to your att box it GETS the public IP, when you connect it to pfsense it gets a PRIVATE IP..  You sure your listening on this private IP?  You sure you don't have some firewall on this webserver?

    Step 1 in troubleshooting anything with pfsense is to make sure pfsense is SEEING the traffic on its wan.. There is no pointing in testing anything behind pfsense if your not 100% sure that traffic is getting to pfsense WAN..  As stated you can not forward something that is NOT there.

    What you have shown so far is that there is NO Inbound traffic to pfsense wan port on port 80.



  • Ok. When. I get home ill do as you say and verify the traffic.

    I know how difficult it is to try and tell someone how to do something they have never touched before and I appreciate the patience with me.


  • LAYER 8 Global Moderator

    I can walk you through verification of traffic getting there, that is no problem - if need be I am open to using say teamviewer and we can walk through it together via your PC, where we can chat and you can see everything I do, etc.

    But until we can verify there is traffic getting to the pfsense, there is nothing to troubleshoot ;)



  • OK!!!! Good NEWS!!! LOL IT WORKS!!

    So today while at work I had nothing going on so I decided to spend some time reading 2 books that for a beginner with pfSense and real networking need to have. one is "pfSense: the Definitive Guide" and the other is "pfSense 2 Cookbook".

    After taking the time to slow down and actually read your posts I sat down this evening to do exactly as you stated. There was no traffic inbound. At that point I decided I was going to start everything from scratch. I reinstalled pfSense and started at the beginning. As I started setting things up I had a separate machine tied to the AT&T box to watch what it was doing as well. I noticed that even though my VirtualBox PC was connected to the pfSense network it kept popping up on the AT&T box as well. This being exactly what you had suspected, a double NAT. This is where the 2 books came into play. They helped me understand what you were saying with the double NAT and it gave me some insight on how to fix the issue.

    So I unplugged every connection from the pfSense box with the exception to the PC that runs the VirtualBox web server and with my extra PC tied to the AT&T box I completely blew out all the previous NAT's and reset the unit to factory defaults. Once that was done I noticed that the double NAT went away. I then did the test to check for traffic to the pfSense box using canyouseeme.org and sure enough, pfSense was now seeing traffic!!

    I then set up the NAT's for the ports I Needed on the pfSense box and sure enough my web sites were back live as well as my CCTV DVR. Everything is working and I now have a much better understanding of pf and real routing.

    I would like to say thanks to you johnpoz for sticking with me even though it was like teaching a wall how to be a door. With that I would like to tell everyone out there looking for help this, SLOW DOWN!! get yourself the two books I mentioned and read them front to back and when you come here asking the guru's for help actually read their posts, follow their process and don't be stubborn, you asked for help for a reason


  • LAYER 8 Global Moderator

    Well that is great news.. Glad you got it sorted..

    Sure your going to love pfsense, see how easy it was to create a nat ;)



  • Yep. I have now started adding packages and all is going well except for squid and lightsquid. But ill figure them out tomorrow. My brain needs a rest and since i have been playing with pf since Saturday non stop my wife thinks I'm a stranger ahaha


  • LAYER 8 Global Moderator

    This is your home network right?  Other than playing with, normally home networks have no use of a proxy.  Now use to use them back in the day when needed to keep an eye on teenage sons internet usage and filtering of porn ;)

    Unless your just wanting to play/learn about how to use a proxy in pfsense - not sure I would install.  Complicates the setup without justification most likely.



  • I initially wanted to install it for the web cache and to monitor where my son goes on his ipad. The i decided i really dont need it so i deleted it. I will eventually sent up another box i have to do testing and learning on, now that i have a live box i dont want to go jacking it up LOL.

    Everything is working except for 1 thing. When i go to my website using the same machine the virtualbox is on, it forces me to https and then gives me a dns issue.

    I can reach the websites just fine from any device on the network except for the PC hosting the virtual box.


  • LAYER 8 Global Moderator

    And how are you trying to access the website?  Using public IP/fqdn using nat reflection?  If you local and accessing local IP, pfsense is not in the picture you never talk to pfsense when doing that.

    Do you have nat reflection enabled if your wanting to access your local network using public IP for pfsense just to forward you back in.



  • Accessing the site from a private 192.168.1.x network behind PF to a 192.168.1.x address. MY windows 7 PC that has virtualbox running on it with the web server. Access to the site is fine from any computer on the network, just not the host PC with VirtualBox running on it.

    What it does is when i put the web address in it automatically directs me to the HTTPS address which don't exist, no certificates for it. Anyway i just went into my web server and turned SSL from default to off on each domain and that fixed the problem. Only problem is if i ever decided to do SSL on those sites ill have to figure out the real reason it didn't work.

    But to answer the other half of your question. I do have NAT reflection on.


  • LAYER 8 Global Moderator

    "Accessing the site from a private 192.168.1.x network behind PF to a 192.168.1.x address."

    then pfsense has nothing to do with that traffic.  You only talk to pfsense if your wanting OFF the 192.168.1.x network.

    If you don't have SSL cert, then no your webserver can not serve up SSL.  If you want to access SSL from outside pfsense, then you would need to forward 443.

    But again if your just talking between 2 clients on your same 192.168.1.x network - then pfsense is not involved in that conversation.  Unless you were bridging to interfaces on pfsense, and one machine was connected to 1 and other connected to other interfaces on the pfsense bridge.  Other than sort of setup - no pfsense is not involved in local network traffic.


Log in to reply