• Issue not solved but thanks for the help.. time to start from scratch :(

  • LAYER 8 Global Moderator

    To be honest any idiot should not have an issue with this.  I would create alias for those ports and ranges one for tcp, one for udp.  Then  in your nat (port forward pick the alias name)  It really is just click click done.

    here - if this takes more than 1 minute for you to do.. Your over thinking it.

    Now where users NORMALLY always have issues is they are behind a DOUBLE nat, so pfsense never even sees the traffic to forward.  If the WAN IP of pfsense starts with 10.x.x.x or 192.168.x.x or 172.16-31.x.x then its behind a NAT.. And you have to forward these ports on the device in front of pfsense doing nat before pfsense can even forward them.

    edit:
    I was real quick here, less than 30 seconds - so use something like tcpgame, udpgame for your aliases.  And I put in the wrong forward IP..  In the port forward for the port and redirect port your putting in the aliasname you used - I just used tcp in mine, be a bit more specific in yours.

    Also another issue users have is any software firewall running on the IP they are forwarding too.




  • LAYER 8 Global Moderator

    What do you mean enable all ports?  Do you have rules on your lan limiting outbound?  The default lan rule is allow any any out.

    Just because you got something from portforward does not mean they are correct ;)  I find it highly unlikely you need all those ports forwarded to play/host a game.

    This takes all of 1 minute to troubleshoot..

    1 - is the traffic actually hitting pfsense wan.
    2 - is pfsense sending on the traffic via its lan port where the IP your forwarding is.
    3 - does the box your forwarding reply?

    For the ports to work, there has to be something listening ;)

    Why do you feel they do not work?  Are you checking that the forward from the OUTSIDE?  Please post your firewall rules for both lan and wan, and do you have anything in the floating tab?

    I would do a simple sniff on pfsense first on the wan to validate the traffic even gets to pfsense.  Do testing of forwards from OUTSIDE pfsense wan..  If you testing from something inside then you have to make sure your nat reflection is setup and working.  Always validate forwards from something on the outside of pfsense wan interface.

    Tell you what - if you either want me to teamviewer in and we can take a look see, or give me remote access to pfsense I will take a look, it really is as simple a couple of minutes to check the flow of the traffic.

    Are you running any 3rd party antivirus/security software on the client behind pfsense that could be interfering with network traffic, bitdefender, etc. etc.

    BTW are you sure you even need to forward these ports.. Most games list outbound ports unless your HOSTING, default settings in pfsense is outbound any any..  Trying to find an official listing and not having much luck.

  • LAYER 8 Global Moderator

    I saw your emailed and responded.  You have a couple of issues I see right away, you have the nat tcpgaming alias in a nat, and says its linked but there is no wan firewall rule for it.

    Also on your outbound nat you have a lot of blocks to lists with pfblocker, and also your running IPblocker?  You sure your not blocking aboutbound to them?  Also all your lan rules below the default any any rule are pointless and would never be used.

    edit: also seems your running something that is giving you blocks like this in your firewall?

    103.10.4.40:21

    that is outbound from your lan - a lot of them, what are you trying to ftp too?  Its being blocked.

    On your wan
    Pri : 2
    Cat : Potentially Bad Traffic

    Why are you running a /8 on your lan interface, but dhcp is only /24 - and from your leases you only have 1?  Seems like a odd ball configuration?  How many clients do you have that you would need pfsense lan to be on a /8

    From the traffic in your firewall you seem to be going way overboard ;)

    So that is from snort - you sure that is not your issue?  Snort has all kinds of false alerts and issues if not really gone over with a fine tooth comb and configured.

  • LAYER 8 Global Moderator

    Security reason for what??  Its outbound traffic - are you clients hostile, why would you not let them create connections to what they might need to connect too.

    In a company, sure you limit what they can do..  But if your wanting to game off this connection I doubt its work or business, etc. ;)

    But seems like you got every security feature under the sun turned on :)  Clam AV, snort, pfblocker, etc. etc..  Yeah your going to have issues trying to game in such a setup.

    I would remove all that stuff.. Use a default pfsense setup.  Create your forwards if you think you need them - but to be honest most of those ports are prob listed as required outbound.  I would suggest fireup the came and use a tool on the pc to see what ports the exe tries to talk on.

    Then once you have that in place you can start locking down your rules if you want.

    Default pfsense blocks all unsolicited inbound traffic, and allows all outbound traffic..  This would be a default home setup and secure enough for a home.  Snort is going to be a pain if not really gone over and configured for what you want it to look for.  Blocking huge chucks of IP address from a list outbound is also sometimes painful.  I use pfblocker myself, but I only use it to block inbound to my forwards for 22, and what I answer ping to, etc.

    As to your specific forward problem - you did not have firewall rule for the gamingtcp alias, so that would never work.

    Let me know how I can help if you have more questions - but from what I see, fix the firewall wan rule, and then remove all that snort and pfblocker stuff to troubleshoot game play and forwards.  Then once you know it works you can turn those types of systems back on and troubleshoot what in them might be causing you problems if any, etc.