Pfsense will not nat or open firewall port

  • I have setup a windows 2k8 vpn server and can successfully connect to it from within my network So i know the server settings are correct. The NAT and firewall rules I have screenshots attached. I try doing a port scan from a couple different websites and all of them come back saying port 1723 and 47 tcp are blocked…..what am I doing wrong?

  • Someone correct me if I'm wrong, but I think on your Port Forwarding rules, delete the Source Port (they're random ephemeral ports generated by the client).  Destination Ports and NAT Ports are correctly specified as tcp/47 and tcp/1723.

    Also, consider PPTP VPNs 100% compromised and 100% unsecure.  Switch to an SSL/TLS OpenVPN setup or IPSEC setup.

  • LAYER 8 Global Moderator

    Yeah correct those forwards would never work because of the source port being specific.

    Also - GRE is not PORT 47, it is PROTOCOL 47 - completely different!!

    Couple ways to think about it, a PORT like you listed is normally using either the tcp or udp protocols.  While tcp is procotol 6 and udp is 17.  A port tells you where, a protocol tells you how.

    I have seen this example
    ports = ears, mouth, eyeball, touch
    protocols = English, Spanish, Sign Language, Braille

    People get confused because protocols that they are use to like http and https, ssh, ftp all have default/standard tcp or udp they talk on like 80, 443, 22, 21 control and source port of 20 for active data channel.  But tcp and udp are just 2 of the protocols..  See the listing - there are lots of different protocols for talking over a network.

    Also – I agree pptp is deprecated, I would look to current secure options for vpn.  If you really wanted to use pptp, why not just let pfsense do it vs forwarding inbound to some other server?

  • well does anyone have instructions of how to go about setting up a L2TP/IPSEC vpn tunnel?

  • LAYER 8 Global Moderator

    To what endpoint pfsense? Or through pfsense to something else.  From what client?

  • would like to try both but more so through pfsense to a windows 28k box

Log in to reply