Need assistance getting port forwarding working correctly
-
Hello all, looking for some assistance forwarding a few ports so our new alarm company can connect to our alarm panel.
I checked the troubleshooting guide, but I am still unsure where my problem lies.
I'm running pfSense v2.1.5 latest release.
I thought I had everything correct, as I've laid out here:http://i.imgur.com/Iir490a.png
http://i.imgur.com/iFHdOsJ.png
However, when using something like www.canyouseeme.org or other port checkers, I plug in my external WAN IP, and the port and I am getting errors telling me that it is still blocked.
I'm missing something, but don't know what, can anyone who knows more than me take a quick look at see if I'm screwing this up? I think it might have to do with not having any info in the DESTINATION fields, but I don't know enough to be sure.
Should my destination address by my WAN address?
Thank you for reading.
-
12.3.3.98 is a private IP on your LAN?
-
12.3.3.98 is a private IP on your LAN?
Yes that is correct, it is an internal IP address on our LAN
-
Hmmmm. OK.
Its a PRIVATE ip then?
-
You do understand that 12.3.3.98 is not a rfc1918 address.. Its owned by
NetRange: 12.0.0.0 - 12.255.255.255
CIDR: 12.0.0.0/8
OrgName: AT&T Services, Inc.Are you AT&T?? Why in the world would you be using their address space on your private lan??
What is your wan IP - is it actually public? What are the first 2 octets? if behind a NAT, then you need to forward those ports to your pfsense wan IP for pfsense to be able to forward the traffic on into your private network.
-
I was going to use a softer approach - But yeah.
Things are definitely strange in that network. Makes me wonder how many things may be wrong.
Makes it harder to diagnose than your average port forward issues, which are usually quite simple.
-
Hmmmm. OK.
Its a PRIVATE ip then?
Apologies I misunderstood you.
Private IP provided by Earthlink is 64.65.231.106 (WAN)
Gateway is the pfSense box: 10.17.33.13 (LAN)
Internal LAN IP I am trying to forward to: 10.17.33.98
The above examples were obfuscated because…well I don't know, that's just how I've seen people post examples.Here is the actual screenshot with setup as I have it now:
http://i.imgur.com/yFQVMKw.png
http://i.imgur.com/KGduiy8.png
I am currently on the phone with Earthlink to check and see if they have anything set up on their modem that would prevent me from setting up port forwarding.
-
Thats much better.
Not sure why that wouldn't work unless you have a firewall rule on the client, the LAN or the wan above the rules created by NAT.
Maybe we should have a look at your WAN and LAN firewall rule set?
-
Thats much better.
Not sure why that wouldn't work unless you have a firewall rule on the client, the LAN or the wan above the rules created by NAT.
Maybe we should have a look at your WAN and LAN firewall rule set?
Sure, here are the WAN rules:
http://i.imgur.com/v9aaCZP.pngAnd here are the LAN rules:
http://i.imgur.com/czVkhZB.pngI have been playing around with blocking a few specific sites as you can see.
Also, I have no problem connecting to the VPN and browsing the network from an external connection, not sure if that means anything.
-
On the WAN, you "top spammers", HBO, redtube rule are in a position to block access.
Try temporarily disable those and see if that allows traffic to pass.
If so, find which rule is causing you trouble.
On the LAN, your block rule for facebook could cause trouble if its configured wrong. Try temporarily disable that also.
As for your block rules on the LAN for HBO and redtube, they will not be effective because they are below the "pass all" rules on the LAN.
The rules are applied in order, from top down.
-
On the WAN, you "top spammers", HBO, redtube rule are in a position to block access.
Try temporarily disable those and see if that allows traffic to pass.
If so, find which rule is causing you trouble.
On the LAN, your block rule for facebook could cause trouble if its configured wrong. Try temporarily disable that also.
As for your block rules on the LAN for HBO and redtube, they will not be effective because they are below the "pass all" rules on the LAN.
The rules are applied in order, from top down.
kejianshi first of all thank you for your assistance with this I appreciate it very much.
I have disabled the above rules with no effect.
I have a ticket open with Earthlink to see if they are blocking this somehow on their equipment, but have heard nothing back yet and am still waiting to hear.
Anything else I might try?
-
It would be strange for them to be blocking those odd ports…
-
So a quick nmap of your IP shows this
Nmap scan report for host-64-65-xx-x.x.x.net (64.65.xx.x)
Host is up.
PORT STATE SERVICE
5000/tcp closed upnp
5001/tcp closed commplex-link
5002/tcp closed rfe
10000/tcp filtered snet-sensor-mgmt
10001/tcp filtered scp-configSo while the 5000's come back closed, nothing came back for your 10k ports..
Closed state means got back a RST, so unless you set this up for reject normally it would show filtered - ie just dropped.. Or if something was there listening that sent back syn/ack it would show opened.
pfsense would not send back RST, unless you set it is as rejected. So you either have something behind that the traffic was forwarded too and rejected or something in front.
First step in starting to troubleshoot these sorts of issues is sniffing on the wan of pfsense. Does the traffic even get there. Simple way to do this is just diag, packet capture wan and the port your checking - and then go to canyouseeme and do a test for your port. Do you see that traffic?
As to those hbo and redtube blocks on your wan? WAN destination would be your wan IP(s) only. Putting anything in there other than your IP is not going to ever trigger. As mentioned if you were trying to stop your users from going there, then they would have to be above your allow rule on your lan.
tcp 5000 is an can be used for UPnP - so it would be quite possible that a ISP might put that on their block list. Or device in front of pfsense might have blocked this, etc.
What is in front of your pfsense, modem/router what is the make and model number? Your pfsense wan is actually getting the 65.x address on its wan interface?
-
I'm going to ask a stupid question now…
Are you double NATed?
-
So a quick nmap of your IP shows this
Nmap scan report for host-64-65-xx-x.x.x.net (64.65.xx.x)
Host is up.
PORT STATE SERVICE
5000/tcp closed upnp
5001/tcp closed commplex-link
5002/tcp closed rfe
10000/tcp filtered snet-sensor-mgmt
10001/tcp filtered scp-configSo while the 5000's come back closed, nothing came back for your 10k ports..
Closed state means got back a RST, so unless you set this up for reject normally it would show filtered - ie just dropped.. Or if something was there listening that sent back syn/ack it would show opened.
pfsense would not send back RST, unless you set it is as rejected. So you either have something behind that the traffic was forwarded too and rejected or something in front.
First step in starting to troubleshoot these sorts of issues is sniffing on the wan of pfsense. Does the traffic even get there. Simple way to do this is just diag, packet capture wan and the port your checking - and then go to canyouseeme and do a test for your port. Do you see that traffic?
As to those hbo and redtube blocks on your wan? WAN destination would be your wan IP(s) only. Putting anything in there other than your IP is not going to ever trigger. As mentioned if you were trying to stop your users from going there, then they would have to be above your allow rule on your lan.
tcp 5000 is an can be used for UPnP - so it would be quite possible that a ISP might put that on their block list. Or device in front of pfsense might have blocked this, etc.
What is in front of your pfsense, modem/router what is the make and model number? Your pfsense wan is actually getting the 65.x address on its wan interface?
Thank your for your help.
Here is the result of the packet capture on the WAN and then probing those ports:
http://i.imgur.com/0w7vKyd.pngNot sure what this exactly means, it looks like it can pick up the traffic/ping attempts but I'm assuming tcp 0 means no data/traffic was sent.
As for the other rules I figured I had them setup incorrectly, I have been playing with this for a few days now.
I appreciate your assistance in this, I have finally got a ticket open with EL and will check to see if they are blocking anything and report back. Sometimes they take ages to get back to me though…
Yes we are getting the 65.64.231.106 address on the pfsense WAN interface. I believe off the to of my head it's an Adtran Netvanta gateway, TotalAccess 908e.
-
Well, figured this out.
The alarm company was attempting to connect on the incorrect ports. Once I had them change their settings and test they were able to connect with no issues.
Thank you all for your help, I have learned a lot from this thread and I will put it all to good use.
-
Now that makes perfect sense…
-
So they were not connecting to 5000-5002?
Clearly you sent back closed to those ports.. I should of sniffed when I did the probe - but normally closed means a RST came back. Which seems unlikely if was actually listening on that port, etc. Unless there is something on that device (firewall) that only allows specific source IP? Or source Ports?
Glad you got it sorted - it is like 99.9999% time something stupid like using wrong port, wrong IP or double nat, isp blocking when troubleshooting port forwarding issues.. To be honest port forwarding in pfsense is click click your done and working.
