• This is driving me crazy, I've been trying to figure this out since 2 weeks, with no luck  ???.

    Help  :'(

    I have pfsense 2.0.3. I have port 443 closed against all https traffic except for certain website that I allow using a rule.
    I have a rule to open Skype ports 33033 and 40000 to 40050.

    My problem is that Skype opens and logs in and I can see my contacts online, but I can't seem to be able to call them or chat with them.


  • @abarakat:

    My problem is that Skype opens and logs in and I can see my contacts online, but I can't seem to be able to call them or chat with them.

    What does Skype report? Is there a "access blocked" entry in the firewall log? Have you asked "skype" what ports it uses?

  • You can do 1 of 2 things.

    1.  Go into skype network settings. It picks its port it will use at random.  You can put the port you want it to use in there and then forward that port from the WAN to the IP of the computer running skype.  (besides port 80 and 443, Skype runs ALSO on 1 other port.  Not ports.  But that 1 port needs to be forwarded with NAT rules)  So, always allow 443 and 80 for skype, but also forward that 1 other port if you want the best video/audio.


    2.  Go into Services: UPnP & NAT-PMP.
                                Enable UPnP & NAT-PMP
                                Allow UPnP Port Mapping
                                Allow NAT-PMP Port Mapping

    And select LAN for that.
    And then click change.

    (Warning - uPnP is sort of required by lots of things and is sort of a security issue in some environments)

    As far as skype not working for you, as restrictive as your LAN rules are, I'm surprised much anything works.
    Its very blocky.

  • Thanks for the update.

    Option 1: Won't work since I have Skype on several computers not only one, So forwarding with NAT to one IP won't work.
    Option 2: I enabled UPnP as mentioned, but no change happened, Am I doing something wrong. Any recommendation in this area would help.

    Keep in mind that this set-up is for a company not a home use, that's why it's restrictive, honestly I was fed-up from people using Proxy servers to by pass security so I closed 443 port and I'm allowing only work related HTTPS sites to pass.

    Pls. Note that once I allowed 443 on the network, Skype started working normally.

    After searching on the net, I came to believe that Skype requires ports 33033 and a range of the high ports so I opened 40000 to 40050, which is working fine, My problem is that Skype keeps trying to use port 443 which is closed in my network.


    • Keep in mind that I'm able to login in and I get the available sign and I see my online contacts but I'm not able to talk or chat with them.

    Question, Does anyone know the list of servers that Skype use, I can use that list in a PASS rule for port 443.

  • Banned

    There's nothing like shooting yourself in the foot. Why on earth are you blocking HTTPS???

  • I have squid and squidGuard installed to control access to sites. But users found out that by installing an application like UltraSurf and hotspot they can bypass the security and access any website they choose, which consumed lots of bandwidth which is limited in my country and costs money if over used.

    So after searching I found out that the only way to prevent access to such applications (UltraSurf and hotspot) was to block HTTPS.

  • Banned

    Which ports need to be open to use Skype for Windows desktop?

    Read that, and note the proxy settings in there. Also note that it says absolutely nothing about random port ranges such as  33033 and 40000 to 40050.

    P.S. Correct solution to users' abuse in environment like yours would be setting up some traffic limits and FUP/traffic shaping. Not crippling absolutely basic functionality such as HTTPS.

  • Based on the document, Skype requires unrestricted outgoing TCP access to:
    All destination ports above 1024 (recommended)
    Ports 80 and 443

    and I can't open all ports above 1024 and I have port 443 closed  ???

    As for the ports opened on my firewall, 33033 is the incoming port configured in Skype, and the range 40000 to 40050 is a small range of what was required (all ports above 1024). once I had those opened I was able to connect to Skype and see my online contact, but it doesn't allow me to talk or chat to them.

    Using traffic limits and shaping will manage the speed of the internet per user but it won't prevent users from accessing certain websites like youtube, facebook, porn. I'm open to suggestions in this area.

  • Banned

    Please, read the entire article. If you still have problems with Skype after following that, bug Microsoft.

    No suggestions from me regarding filtering YT, FB or anything like that. Censoring web sucks.

  • Netgate Administrator

    You only need one port forwarded to each Skype instance. Each instance can be set to use a different port. Skype doesn't actually require any open incoming ports to work however it can produce much better results with a direct client to client UDP connection.
    How many Skype users are you handling?


  • Thanks for your help

    I've already read the article, and I'm still stuck.

    I would like to hear more about option 2 suggested by Kejianshi. I've also read on the net about using Layer 7 to resolve this, does anyone know anything about this.

  • @abarakat:

    Thanks for the update.

    Option 1: Won't work since I have Skype on several computers not only one, So forwarding with NAT to one IP won't work.
    Option 2: I enabled UPnP as mentioned, but no change happened, Am I doing something wrong. Any recommendation in this area would help.

    Option 1: does work when you have static address mappings in DHCP
    Option 2: Why restrict access and then enable uPNP?

  • Thanks Steve

    I believe the problem is in the outgoing port and especially port 443

  • Gogol

    I have Static Address mapping with MAC in DHCP. the issue is assigning port forward for around 50 users is a big hassle and maintaining it is even worse.

    Still I believe the problem is with outgoing not incoming.

    As I said, once I allowed 443 in outgoing everything worked perfectly.

  • Banned

    Please, seriously rethink the entire setup from scratch. As you have noted:

    • extreme PITA to maintain
    • extreme PITA to use

    Then you resort to completely absurd "solutions" such as having an overly restrictive setup and digging huge holes into it by enabling UPnP. Eh…

  • OK - My solution does work.
    Slow down and take a deep breath….
    I advise not blocking 443 and 80, in general.  Thats just breaking the web, not filtering it.
    For every skype you want to allow, and want to work well, forward a port to each one separately with a NAT rule.
    I assume this won't be more than a few?  Give each skype client a different port.
    On a network with uPNP enabled, skype does EXACTLY this NATing automagically.
    If you want, and it makes you happy, you can NAT forward individually in 40000 - 40050 range.  1 port per skype user. +80 +443.
    (remember, no NAT rules for 80 and 443 though - just no blocking)
    Or, since security isn't your main goal, you could just activate uPNP and forget about manual port forwards.  Skype will do for you.

    What doktornotor lacks in subtlty, he makes up for with solid advice.  He is correct.  You should unblock EVERYTHING.
    Just delete all your blocking rules on the LANs. 
    I could walk you through setting up LIMITERS, but I bet either doktornotor or stephen10 have more experience with them.  Not sure.
    LIMITERS will control how much bandwidth users get and can be used to shut down offenders if needed.

    http://doc.pfsense.org/index.php/Traffic_Shaping_Guide                    <<<<<< <be sure="" read.<br="">and to get a quick flavor for it:

  • Ok Guys, I'm taking one step back. Let's put Skype on the side for a minute.

    If I'm going to un-block (Open) port 443 (HTTPS), I need help in the following:

    1. how to block certain websites like Facebook, YouTube, porn. especially when such sites can be accessed using HTTPS like https://www.facebook.com
    2. how to prevent users from accessing Proxy Application like Ultrasurf and Hotspot or any Proxy Server on the web.

    I read the Traffic shaping documents, and actually I'm using it to limit the speed of users who download more than 200MB per day.

    From what I see, Traffic Shaping manages the network speed, but it doesn't manage websites.

    Any recommendations regarding the first 2 points would be appreciated.

  • Well - Now you are talking.

    1.  You can use dansguardian to block lots of stuff. (its very configurable)
    2.  You can augment that by using free DNS filter service provided by companys like DYNdns, OpenDNS and others + dansguardian.
    This will catch HTTPS abusers.

    Still, use traffic shaping (LIMITERS) because options 1 and 2 will only work with the honest people or people who's computers you have locked down admin privileges on (because of ultrasurf).  Doesn't sound like you have any people like that there  :o  (thats normal)

  • ;D I agree, very few honest people.

    As for option one, I already have Squid and SquidGaurd install which should do that same work as Dansguardian, but still this blocks HTTP web flow not HTTPS.
    Can you explain more about option2, I didn't get it. I already have a free dynamic account with DYNdns, but how can I use it to filter HTTPS.

    Don't get mad or upset but till now, I don't have a solution for managing which sites to access over HTTPS, limiting the speed is not like preventing people from accessing certain sites.

  • Well - Like I said, the effectiveness of this will also depend on you getting things like "ultrasurf" off your network.

    I did have a little conversation with some very smart people on that subject here:


    Pay special attention to one post by phil.davis and how he handles port 53 with this solution.
    Basically, you want to only allow access to port 53 to your pfsense box and the DNS servers at dyndns from the LAN.

    You can set up your DYNdns filters at https://account.dyn.com/labs/dyn-internet-guide/              (log in to dyndns first)
    Then click defense plan or default defense.  Modify it to block whatever you need blocked in the office)
    You will need to also set up your dynamic DNS service in pfsense so that dyndns always knows your network's IP.
    Then follow instruction I gave in the thread above.