Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Need assistance getting port forwarding working correctly

    Scheduled Pinned Locked Moved NAT
    18 Posts 3 Posters 3.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      ejoy
      last edited by

      Hello all, looking for some assistance forwarding a few ports so our new alarm company can connect to our alarm panel.

      I checked the troubleshooting guide, but I am still unsure where my problem lies.

      I'm running pfSense v2.1.5 latest release.
      I thought I had everything correct, as I've laid out here:

      http://i.imgur.com/Iir490a.png

      http://i.imgur.com/iFHdOsJ.png

      However, when using something like www.canyouseeme.org or other port checkers, I plug in my external WAN IP, and the port and I am getting errors telling me that it is still blocked.

      I'm missing something, but don't know what, can anyone who knows more than me take a quick look at see if I'm screwing this up? I think it might have to do with not having any info in the DESTINATION fields, but I don't know enough to be sure.

      Should my destination address by my WAN address?

      Thank you for reading.

      1 Reply Last reply Reply Quote 0
      • K
        kejianshi
        last edited by

        12.3.3.98 is a private IP on your LAN?

        1 Reply Last reply Reply Quote 0
        • E
          ejoy
          last edited by

          @kejianshi:

          12.3.3.98 is a private IP on your LAN?

          Yes that is correct, it is an internal IP address on our LAN

          1 Reply Last reply Reply Quote 0
          • K
            kejianshi
            last edited by

            Hmmmm.  OK.

            Its a PRIVATE ip then?

            1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator
              last edited by

              You do understand that 12.3.3.98 is not a rfc1918 address..  Its owned by

              NetRange:      12.0.0.0 - 12.255.255.255
              CIDR:          12.0.0.0/8
              OrgName:        AT&T Services, Inc.

              Are you AT&T??  Why in the world would you be using their address space on your private lan??

              What is your wan IP - is it actually public?  What are the first 2 octets?  if behind a NAT, then you need to forward those ports to your pfsense wan IP for pfsense to be able to forward the traffic on into your private network.

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              1 Reply Last reply Reply Quote 0
              • K
                kejianshi
                last edited by

                I was going to use a softer approach - But yeah.

                Things are definitely strange in that network.  Makes me wonder how many things may be wrong.

                Makes it harder to diagnose than your average port forward issues, which are usually quite simple.

                1 Reply Last reply Reply Quote 0
                • E
                  ejoy
                  last edited by

                  @kejianshi:

                  Hmmmm.  OK.

                  Its a PRIVATE ip then?

                  Apologies I misunderstood you.

                  Private IP provided by Earthlink is 64.65.231.106 (WAN)
                  Gateway is the pfSense box: 10.17.33.13 (LAN)
                  Internal LAN IP I am trying to forward to: 10.17.33.98
                  The above examples were obfuscated because…well I don't know, that's just how I've seen people post examples.

                  Here is the actual screenshot with setup as I have it now:

                  http://i.imgur.com/yFQVMKw.png

                  http://i.imgur.com/KGduiy8.png

                  I am currently on the phone with Earthlink to check and see if they have anything set up on their modem that would prevent me from setting up port forwarding.

                  1 Reply Last reply Reply Quote 0
                  • K
                    kejianshi
                    last edited by

                    Thats much better.

                    Not sure why that wouldn't work unless you have a firewall rule on the client, the LAN or the wan above the rules created by NAT.

                    Maybe we should have a look at your WAN and LAN firewall rule set?

                    1 Reply Last reply Reply Quote 0
                    • E
                      ejoy
                      last edited by

                      @kejianshi:

                      Thats much better.

                      Not sure why that wouldn't work unless you have a firewall rule on the client, the LAN or the wan above the rules created by NAT.

                      Maybe we should have a look at your WAN and LAN firewall rule set?

                      Sure, here are the WAN rules:
                      http://i.imgur.com/v9aaCZP.png

                      And here are the LAN rules:
                      http://i.imgur.com/czVkhZB.png

                      I have been playing around with blocking a few specific sites as you can see.

                      Also, I have no problem connecting to the VPN and browsing the network from an external connection, not sure if that means anything.

                      1 Reply Last reply Reply Quote 0
                      • K
                        kejianshi
                        last edited by

                        On the WAN, you "top spammers", HBO, redtube rule are in a position to block access.

                        Try temporarily disable those and see if that allows traffic to pass.

                        If so, find which rule is causing you trouble.

                        On the LAN, your block rule for facebook could cause trouble if its configured wrong.  Try temporarily disable that also.

                        As for your block rules on the LAN for HBO and redtube, they will not be effective because they are below the "pass all" rules on the LAN.

                        The rules are applied in order, from top down.

                        1 Reply Last reply Reply Quote 0
                        • E
                          ejoy
                          last edited by

                          @kejianshi:

                          On the WAN, you "top spammers", HBO, redtube rule are in a position to block access.

                          Try temporarily disable those and see if that allows traffic to pass.

                          If so, find which rule is causing you trouble.

                          On the LAN, your block rule for facebook could cause trouble if its configured wrong.  Try temporarily disable that also.

                          As for your block rules on the LAN for HBO and redtube, they will not be effective because they are below the "pass all" rules on the LAN.

                          The rules are applied in order, from top down.

                          kejianshi first of all thank you for your assistance with this I appreciate it very much.

                          I have disabled the above rules with no effect.

                          I have a ticket open with Earthlink to see if they are blocking this somehow on their equipment, but have heard nothing back yet and am still waiting to hear.

                          Anything else I might try?

                          1 Reply Last reply Reply Quote 0
                          • K
                            kejianshi
                            last edited by

                            It would be strange for them to be blocking those odd ports…

                            1 Reply Last reply Reply Quote 0
                            • johnpozJ
                              johnpoz LAYER 8 Global Moderator
                              last edited by

                              So a quick nmap of your IP shows this

                              Nmap scan report for host-64-65-xx-x.x.x.net (64.65.xx.x)
                              Host is up.
                              PORT      STATE  SERVICE
                              5000/tcp  closed upnp
                              5001/tcp  closed commplex-link
                              5002/tcp  closed rfe
                              10000/tcp filtered snet-sensor-mgmt
                              10001/tcp filtered scp-config

                              So while the 5000's come back closed, nothing came back for your 10k ports..

                              Closed state means got back a RST, so unless you set this up for reject normally it would show filtered - ie just dropped..  Or if something was there listening that sent back syn/ack it would show opened.

                              pfsense would not send back RST, unless you set it is as rejected.  So you either have something behind that the traffic was forwarded too and rejected or something in front.

                              First step in starting to troubleshoot these sorts of issues is sniffing on the wan of pfsense.  Does the traffic even get there.  Simple way to do this is just diag, packet capture wan and the port your checking - and then go to canyouseeme and do a test for your port.  Do you see that traffic?

                              As to those hbo and redtube blocks on your wan?  WAN destination would be your wan IP(s) only.  Putting anything in there other than your IP is not going to ever trigger.  As mentioned if you were trying to stop your users from going there, then they would have to be above your allow rule on your lan.

                              tcp 5000 is an can be used for UPnP - so it would be quite possible that a ISP might put that on their block list.  Or device in front of pfsense might have blocked this, etc.

                              What is in front of your pfsense, modem/router what is the make and model number? Your pfsense wan is actually getting the 65.x address on its wan interface?

                              An intelligent man is sometimes forced to be drunk to spend time with his fools
                              If you get confused: Listen to the Music Play
                              Please don't Chat/PM me for help, unless mod related
                              SG-4860 24.11 | Lab VMs 2.8, 24.11

                              1 Reply Last reply Reply Quote 0
                              • K
                                kejianshi
                                last edited by

                                I'm going to ask a stupid question now…

                                Are you double NATed?

                                1 Reply Last reply Reply Quote 0
                                • E
                                  ejoy
                                  last edited by

                                  @johnpoz:

                                  So a quick nmap of your IP shows this

                                  Nmap scan report for host-64-65-xx-x.x.x.net (64.65.xx.x)
                                  Host is up.
                                  PORT      STATE  SERVICE
                                  5000/tcp  closed upnp
                                  5001/tcp  closed commplex-link
                                  5002/tcp  closed rfe
                                  10000/tcp filtered snet-sensor-mgmt
                                  10001/tcp filtered scp-config

                                  So while the 5000's come back closed, nothing came back for your 10k ports..

                                  Closed state means got back a RST, so unless you set this up for reject normally it would show filtered - ie just dropped..  Or if something was there listening that sent back syn/ack it would show opened.

                                  pfsense would not send back RST, unless you set it is as rejected.  So you either have something behind that the traffic was forwarded too and rejected or something in front.

                                  First step in starting to troubleshoot these sorts of issues is sniffing on the wan of pfsense.  Does the traffic even get there.  Simple way to do this is just diag, packet capture wan and the port your checking - and then go to canyouseeme and do a test for your port.  Do you see that traffic?

                                  As to those hbo and redtube blocks on your wan?  WAN destination would be your wan IP(s) only.  Putting anything in there other than your IP is not going to ever trigger.  As mentioned if you were trying to stop your users from going there, then they would have to be above your allow rule on your lan.

                                  tcp 5000 is an can be used for UPnP - so it would be quite possible that a ISP might put that on their block list.  Or device in front of pfsense might have blocked this, etc.

                                  What is in front of your pfsense, modem/router what is the make and model number? Your pfsense wan is actually getting the 65.x address on its wan interface?

                                  Thank your for your help.

                                  Here is the result of the packet capture on the WAN and then probing those ports:
                                  http://i.imgur.com/0w7vKyd.png

                                  Not sure what this exactly means, it looks like it can pick up the traffic/ping attempts but I'm assuming tcp 0 means no data/traffic was sent.

                                  As for the other rules I figured I had them setup incorrectly, I have been playing with this for a few days now.

                                  I appreciate your assistance in this, I have finally got a ticket open with EL and will check to see if they are blocking anything and report back. Sometimes they take ages to get back to me though…

                                  Yes we are getting the 65.64.231.106 address on the pfsense WAN interface. I believe off the to of my head it's an Adtran Netvanta gateway, TotalAccess 908e.

                                  1 Reply Last reply Reply Quote 0
                                  • E
                                    ejoy
                                    last edited by

                                    Well, figured this out.

                                    The alarm company was attempting to connect on the incorrect ports. Once I had them change their settings and test they were able to connect with no issues.

                                    Thank you all for your help, I have learned a lot from this thread and I will put it all to good use.

                                    1 Reply Last reply Reply Quote 0
                                    • K
                                      kejianshi
                                      last edited by

                                      Now that makes perfect sense…

                                      1 Reply Last reply Reply Quote 0
                                      • johnpozJ
                                        johnpoz LAYER 8 Global Moderator
                                        last edited by

                                        So they were not connecting to 5000-5002?

                                        Clearly you sent back closed to those ports..  I should of sniffed when I did the probe - but normally closed means a RST came back.  Which seems unlikely if was actually listening on that port, etc.  Unless there is something on that device (firewall) that only allows specific source IP?  Or source Ports?

                                        Glad you got it sorted - it is like 99.9999% time something stupid like using wrong port, wrong IP or double nat, isp blocking when troubleshooting port forwarding issues..  To be honest port forwarding in pfsense is click click your done and working.

                                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                                        If you get confused: Listen to the Music Play
                                        Please don't Chat/PM me for help, unless mod related
                                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                                        1 Reply Last reply Reply Quote 0
                                        • First post
                                          Last post
                                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.