Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Need assistance getting port forwarding working correctly

    Scheduled Pinned Locked Moved NAT
    18 Posts 3 Posters 3.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      kejianshi
      last edited by

      12.3.3.98 is a private IP on your LAN?

      1 Reply Last reply Reply Quote 0
      • E
        ejoy
        last edited by

        @kejianshi:

        12.3.3.98 is a private IP on your LAN?

        Yes that is correct, it is an internal IP address on our LAN

        1 Reply Last reply Reply Quote 0
        • K
          kejianshi
          last edited by

          Hmmmm.  OK.

          Its a PRIVATE ip then?

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            You do understand that 12.3.3.98 is not a rfc1918 address..  Its owned by

            NetRange:      12.0.0.0 - 12.255.255.255
            CIDR:          12.0.0.0/8
            OrgName:        AT&T Services, Inc.

            Are you AT&T??  Why in the world would you be using their address space on your private lan??

            What is your wan IP - is it actually public?  What are the first 2 octets?  if behind a NAT, then you need to forward those ports to your pfsense wan IP for pfsense to be able to forward the traffic on into your private network.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • K
              kejianshi
              last edited by

              I was going to use a softer approach - But yeah.

              Things are definitely strange in that network.  Makes me wonder how many things may be wrong.

              Makes it harder to diagnose than your average port forward issues, which are usually quite simple.

              1 Reply Last reply Reply Quote 0
              • E
                ejoy
                last edited by

                @kejianshi:

                Hmmmm.  OK.

                Its a PRIVATE ip then?

                Apologies I misunderstood you.

                Private IP provided by Earthlink is 64.65.231.106 (WAN)
                Gateway is the pfSense box: 10.17.33.13 (LAN)
                Internal LAN IP I am trying to forward to: 10.17.33.98
                The above examples were obfuscated because…well I don't know, that's just how I've seen people post examples.

                Here is the actual screenshot with setup as I have it now:

                http://i.imgur.com/yFQVMKw.png

                http://i.imgur.com/KGduiy8.png

                I am currently on the phone with Earthlink to check and see if they have anything set up on their modem that would prevent me from setting up port forwarding.

                1 Reply Last reply Reply Quote 0
                • K
                  kejianshi
                  last edited by

                  Thats much better.

                  Not sure why that wouldn't work unless you have a firewall rule on the client, the LAN or the wan above the rules created by NAT.

                  Maybe we should have a look at your WAN and LAN firewall rule set?

                  1 Reply Last reply Reply Quote 0
                  • E
                    ejoy
                    last edited by

                    @kejianshi:

                    Thats much better.

                    Not sure why that wouldn't work unless you have a firewall rule on the client, the LAN or the wan above the rules created by NAT.

                    Maybe we should have a look at your WAN and LAN firewall rule set?

                    Sure, here are the WAN rules:
                    http://i.imgur.com/v9aaCZP.png

                    And here are the LAN rules:
                    http://i.imgur.com/czVkhZB.png

                    I have been playing around with blocking a few specific sites as you can see.

                    Also, I have no problem connecting to the VPN and browsing the network from an external connection, not sure if that means anything.

                    1 Reply Last reply Reply Quote 0
                    • K
                      kejianshi
                      last edited by

                      On the WAN, you "top spammers", HBO, redtube rule are in a position to block access.

                      Try temporarily disable those and see if that allows traffic to pass.

                      If so, find which rule is causing you trouble.

                      On the LAN, your block rule for facebook could cause trouble if its configured wrong.  Try temporarily disable that also.

                      As for your block rules on the LAN for HBO and redtube, they will not be effective because they are below the "pass all" rules on the LAN.

                      The rules are applied in order, from top down.

                      1 Reply Last reply Reply Quote 0
                      • E
                        ejoy
                        last edited by

                        @kejianshi:

                        On the WAN, you "top spammers", HBO, redtube rule are in a position to block access.

                        Try temporarily disable those and see if that allows traffic to pass.

                        If so, find which rule is causing you trouble.

                        On the LAN, your block rule for facebook could cause trouble if its configured wrong.  Try temporarily disable that also.

                        As for your block rules on the LAN for HBO and redtube, they will not be effective because they are below the "pass all" rules on the LAN.

                        The rules are applied in order, from top down.

                        kejianshi first of all thank you for your assistance with this I appreciate it very much.

                        I have disabled the above rules with no effect.

                        I have a ticket open with Earthlink to see if they are blocking this somehow on their equipment, but have heard nothing back yet and am still waiting to hear.

                        Anything else I might try?

                        1 Reply Last reply Reply Quote 0
                        • K
                          kejianshi
                          last edited by

                          It would be strange for them to be blocking those odd ports…

                          1 Reply Last reply Reply Quote 0
                          • johnpozJ
                            johnpoz LAYER 8 Global Moderator
                            last edited by

                            So a quick nmap of your IP shows this

                            Nmap scan report for host-64-65-xx-x.x.x.net (64.65.xx.x)
                            Host is up.
                            PORT      STATE  SERVICE
                            5000/tcp  closed upnp
                            5001/tcp  closed commplex-link
                            5002/tcp  closed rfe
                            10000/tcp filtered snet-sensor-mgmt
                            10001/tcp filtered scp-config

                            So while the 5000's come back closed, nothing came back for your 10k ports..

                            Closed state means got back a RST, so unless you set this up for reject normally it would show filtered - ie just dropped..  Or if something was there listening that sent back syn/ack it would show opened.

                            pfsense would not send back RST, unless you set it is as rejected.  So you either have something behind that the traffic was forwarded too and rejected or something in front.

                            First step in starting to troubleshoot these sorts of issues is sniffing on the wan of pfsense.  Does the traffic even get there.  Simple way to do this is just diag, packet capture wan and the port your checking - and then go to canyouseeme and do a test for your port.  Do you see that traffic?

                            As to those hbo and redtube blocks on your wan?  WAN destination would be your wan IP(s) only.  Putting anything in there other than your IP is not going to ever trigger.  As mentioned if you were trying to stop your users from going there, then they would have to be above your allow rule on your lan.

                            tcp 5000 is an can be used for UPnP - so it would be quite possible that a ISP might put that on their block list.  Or device in front of pfsense might have blocked this, etc.

                            What is in front of your pfsense, modem/router what is the make and model number? Your pfsense wan is actually getting the 65.x address on its wan interface?

                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                            If you get confused: Listen to the Music Play
                            Please don't Chat/PM me for help, unless mod related
                            SG-4860 24.11 | Lab VMs 2.8, 24.11

                            1 Reply Last reply Reply Quote 0
                            • K
                              kejianshi
                              last edited by

                              I'm going to ask a stupid question now…

                              Are you double NATed?

                              1 Reply Last reply Reply Quote 0
                              • E
                                ejoy
                                last edited by

                                @johnpoz:

                                So a quick nmap of your IP shows this

                                Nmap scan report for host-64-65-xx-x.x.x.net (64.65.xx.x)
                                Host is up.
                                PORT      STATE  SERVICE
                                5000/tcp  closed upnp
                                5001/tcp  closed commplex-link
                                5002/tcp  closed rfe
                                10000/tcp filtered snet-sensor-mgmt
                                10001/tcp filtered scp-config

                                So while the 5000's come back closed, nothing came back for your 10k ports..

                                Closed state means got back a RST, so unless you set this up for reject normally it would show filtered - ie just dropped..  Or if something was there listening that sent back syn/ack it would show opened.

                                pfsense would not send back RST, unless you set it is as rejected.  So you either have something behind that the traffic was forwarded too and rejected or something in front.

                                First step in starting to troubleshoot these sorts of issues is sniffing on the wan of pfsense.  Does the traffic even get there.  Simple way to do this is just diag, packet capture wan and the port your checking - and then go to canyouseeme and do a test for your port.  Do you see that traffic?

                                As to those hbo and redtube blocks on your wan?  WAN destination would be your wan IP(s) only.  Putting anything in there other than your IP is not going to ever trigger.  As mentioned if you were trying to stop your users from going there, then they would have to be above your allow rule on your lan.

                                tcp 5000 is an can be used for UPnP - so it would be quite possible that a ISP might put that on their block list.  Or device in front of pfsense might have blocked this, etc.

                                What is in front of your pfsense, modem/router what is the make and model number? Your pfsense wan is actually getting the 65.x address on its wan interface?

                                Thank your for your help.

                                Here is the result of the packet capture on the WAN and then probing those ports:
                                http://i.imgur.com/0w7vKyd.png

                                Not sure what this exactly means, it looks like it can pick up the traffic/ping attempts but I'm assuming tcp 0 means no data/traffic was sent.

                                As for the other rules I figured I had them setup incorrectly, I have been playing with this for a few days now.

                                I appreciate your assistance in this, I have finally got a ticket open with EL and will check to see if they are blocking anything and report back. Sometimes they take ages to get back to me though…

                                Yes we are getting the 65.64.231.106 address on the pfsense WAN interface. I believe off the to of my head it's an Adtran Netvanta gateway, TotalAccess 908e.

                                1 Reply Last reply Reply Quote 0
                                • E
                                  ejoy
                                  last edited by

                                  Well, figured this out.

                                  The alarm company was attempting to connect on the incorrect ports. Once I had them change their settings and test they were able to connect with no issues.

                                  Thank you all for your help, I have learned a lot from this thread and I will put it all to good use.

                                  1 Reply Last reply Reply Quote 0
                                  • K
                                    kejianshi
                                    last edited by

                                    Now that makes perfect sense…

                                    1 Reply Last reply Reply Quote 0
                                    • johnpozJ
                                      johnpoz LAYER 8 Global Moderator
                                      last edited by

                                      So they were not connecting to 5000-5002?

                                      Clearly you sent back closed to those ports..  I should of sniffed when I did the probe - but normally closed means a RST came back.  Which seems unlikely if was actually listening on that port, etc.  Unless there is something on that device (firewall) that only allows specific source IP?  Or source Ports?

                                      Glad you got it sorted - it is like 99.9999% time something stupid like using wrong port, wrong IP or double nat, isp blocking when troubleshooting port forwarding issues..  To be honest port forwarding in pfsense is click click your done and working.

                                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                                      If you get confused: Listen to the Music Play
                                      Please don't Chat/PM me for help, unless mod related
                                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                                      1 Reply Last reply Reply Quote 0
                                      • First post
                                        Last post
                                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.