Port forwarding headaches



  • Hi!

    I've been a long term user of Smoothwall but I decided to go with pfSense. Everything went fine with installation, I got internet access and everything is peachy. But when I try to forward ports to my internal servers nothing works.

    I've verified the web server is running, I can access it internally without issues, same thing with all other services (FTP, game server etc). I used the "Test Port" tool in pfSense and it reports ports are open and working.

    I don't use any NAT, VPN or anything special. Internal IPs are assigned by pfSense DHCP server, and internet access and all works from all connected clients.

    I tried to add a port forwarding (Firewall > Rules) and added the following data:

    192.168.0.250 is the server running the web server.

    The end result is:

    But when trying to access the site externally (by DNS or IP) does nothing. Same goes for FTP (port 21) or anything else. I've setup some 10 different rules, but when doing a full port scan from externally nothing is open.

    Is it supposed to be this difficult? It was quite straightforward in Smoothwall…

    Thanks for any help!


  • Banned

    Your source port range is just wrong, should be Any and not 80/443. Beyond that, you should be doing this via Firewall - NAT - Port Forwarding.


  • Rebel Alliance Global Moderator

    "10 different rules, but when doing a full port scan from externally nothing is open."

    And pfsense wan is not behind a NAT..  First thing if your not seeing the traffic on pfsense wan, you can never forward it! I would guess your behind a nat and that is not sending the traffic on to pfsense. What is the IP address on pfsense wan?  Does it start with 192.168.x.x, 10.x.x.x, 172.16-31.x.x ??

    Sniff on your wan, undiag – do you see the traffic pfsense is suppose to forward?



  • Well everything worked fine with Smoothwall, all I did was reinstall to pfSense…

    I've changed the port source to Any, still no go.

    My external IP isn't 192.168.x.x or 10.x or 172.x, it's the external IP my ISP gave me (which pfSense reports too). I can ping the IP (after enabling ICMP) so it's definately connecting to pfSense.


  • Banned

    Once again. You should be doing this in Firewall - NAT - Port Forwarding. Really no idea what you mean by "I don't use any NAT".



  • When I use Firewall > NAT > Port forwarding I lose all connection to the net and I have to roll back the setting before I get access again. Unless I define something wrong in the forwarding rule…


  • Rebel Alliance Global Moderator

    ^ valid point.. Where is your actual forward??  You just have firewall rules.. And source is wrong as well as dok already pointed out.

    You pick what port you want to forward and what private IP you want to send it too - it auto does the firewall rules.



  • @johnpoz:

    ^ valid point.. Where is your actual forward??  You just have firewall rules.. And source is wrong as well as dok already pointed out.

    You pick what port you want to forward and what private IP you want to send it too - it auto does the firewall rules.

    What do you mean? I thought the firewall rules defined that by setting a source port/address to destination port/address.

    Am I missing something vital here? Any time I try to use NAT > Forward I lose connection and need to rollback to get it back.


  • Rebel Alliance Global Moderator

    Dude it take 2 seconds to create a forward..

    Here you really have to only touch 3 boxes..  What port your forwarding http in this case..  What IP you want to send it to..  And that you want to send to http as well..  Vs say sending port 10,000 on you wan to 80 on private side box.

    If this take you more than 5 seconds your doing it wrong!!  Those are the only things you have to touch to send http to a box on pfsense lan..  It will create the firewall rule for you… It really could not be any simpler..

    You mentioned "I don't use any NAT"  Nonsense how would you nat that public IP your ISP gives on your wan to your private rfc1918 space??  So clearly your using nat - unless pfsense is behind a nat arleady..  Did you disable nat in pfsense?  If so it would not be working if your pfsense had public on its wan.




  • Thanks, managed to find out what I did wrong. I followed this guide, but what made me think it didn't work is the fact that my entire access to the internet drops when I apply any NAT settings. If I reboot pfSense then things are up and working again, and this time the port forward does work. But why does the connection cut out entirely? I lose connection to Internet, and a few seconds later I also lose connection to pfSense Web Admin entirely.


  • Rebel Alliance Global Moderator

    I can tell you that do forwards on the fly, other changes on the fly and pretty never have to reboot pfsense nor do I loose connectivity if doing any sort of firewall rule or forward.



  • Yeah well I can't explain it either, and the whole disconnection issue was what steered me away from NAT, since whatever I did I lost connection. And I sure can't reboot every time I add or change a rule. So something is very off here.


  • Rebel Alliance Global Moderator

    what hardware are you running on, what version of psfense.  What is your internet connection, dhcp cable?  dsl, are you using pppoe connection?

    Etc.. etc.. Without having some clue to your environment it would be impossible for me to even guess to what is going on..  All I can say is I have been using pfsense since version 1.x and have never seen that sort of thing on my installs, be it on hardware or vm.



  • What I did notice now is that the connection dropped out entirely only when the first NAT port forward was added. Once I rebooted and added more forwards the connection didn't drop out anymore. Perhaps it's a bug, or delayed reload of the service, I don't know, but I thought it was important to mention.

    I am on fiber (1000/1000) (no PPPoE, just a Cat6 right into the wall :) ) and use pfSense 2.2-RELEASE (amd64).

    But everything seems to work now. Thanks for all the input, I sure learned a lot more today. And very quick response as well, much appreciated!


  • Rebel Alliance Global Moderator

    fiber 1000/1000 – bastard!!! ;) heheeheh



  • Yep, and for cheaps :). Thanks to you and doktornotor for all the help!



  • look like your not the only one on fresh install 2-2 RELEASE having port forward issue.

    I can't figure out why my VOIP port won't forward correctly. Was working fine on 2.1.5-RELEASE.

    A reboot did not help. still not able to redirect 5060 TCP/UDP, 5090 TCP/UDP and 9000-9049 UDP

    any idea what is hapenning ?


  • Rebel Alliance Global Moderator

    So did you do a clean install and try an import the forwards, or did you recreate them from scratch like your fresh install?



  • clean install since upgrade from 2.1.5 fail with mountroot issue (there is plenty of other thread about that)

    the config was rebuilt by hand. No config file reuse.

    i've tryed to log packets via related rules but firewall log seem in problem too (see thread in firewall section)

    i'm thinking going back to 2.1.5 since NAT seem to be in trouble in 2.2 but can try some diagnostic/workaround before


  • Banned

    There is no such issue. Nuke all the broken manual firewall rules you created. Create port forwards in Firewall - NAT - Port Forwarding. Click Apply.  Check that Outboud NAT is at Automatic (Outbound tab). Done.



  • That the way i always did

    i've deleted and remake those Port forward numbered of time to be sure i haven't do a mistake : still nothing

    even with hybrid or manual outbound rule, it does not work

    also, my pbx (3CX) use stun server to diagnose firewall port forward and some time in the same test it just won't connect to the stun server BUT internet is working fine and can resolve DNS query

    that's a really weird trouble :S



  • Ok, this is clearly related to 2.2

    I have to explain that i run PFSense in a Xenserver 6.5 VM
    I stopped the 2.2 and reinstall a fresh 2.1.5 on another VM WITH THE SAME CONFIG DONE MANUALLY (no backup/restaore) and now port forwarding work as expected

    2.2 is installed with xentools, 2.1.5 no xentools (since not available)

    i guess there is two possible thing :
    1- Xentools giving issue
    2- 2.2 having weird issue with port forwarding

    any idea where to start for diagnostic ? i can provide config file for analysis


  • Rebel Alliance Global Moderator

    Lets think about it..  If 2.2 was having in general port forwarding issues.  I would think the boards would be LIT UP like a xmas tree..  I would of thought this would of shown up in beta, RC, etc..

    But what I have seen is some weird threads where having problem win xen..  My guess is xen..

    I can tell you for sure I am running on esxi, and 2.2 was running before the RC, etc..  And have had zero issue with port forwarding, etc..

    To be honest I think there should be a new sticky somewhere, when posting a problem not only should you state what version your running, be it i386 or 64 but clarification on if on actual hardware or VM, if vm what software is it on, etc..

    If you would of mentioned xen in your OP, I could of pointed to other threads where users having odd issues with xen.  Here is one that comes fresh to my mind.
    https://forum.pfsense.org/index.php?topic=86827.0


  • Netgate

    XenServer 6.2 workaround here: https://forum.pfsense.org/index.php?topic=85797.0
    It has zero to do with port forwarding.


  • Netgate

    @mrpijey:

    Perhaps it's a bug

    Most of the bugs in pfSense are in the Layer 8 code base.  It's pretty complicated stuff.  They try and try release after release but they just can't seem to get it right.

    Glad you got it working.


  • Rebel Alliance Global Moderator

    ^ hehehehe yeah I would agree layer 8 is a HUGE problem..

    I find layer 8 a huge PITA at work as well, it is a very complicated problem dealing with layer 8.. No matter how clear you try and code the solution - it has problems there..



  • Yeah - My layer 8 has issues to death…



  • @johnpoz:

    But what I have seen is some weird threads where having problem win xen..  My guess is xen..

    that make sense for my NAT issue. I probably have other issue since i have'nt enought time to do complete test

    i probably found the cause in this thread : https://forum.pfsense.org/index.php?topic=85797.0

    i'll try to sort that out with the solution in there.

    i was testing 2.2 on my VM at home before deploying it at work on a physical machine (Lenovo RS140). Despite the highly probable Xen issue , 2.2 seem to run pretty well.

    willl come back with feedback



  • got some news.

    it is related to xentools and freebsd 10.1 xn nic

    see :
    https://forum.pfsense.org/index.php?topic=85797.0
    https://forum.pfsense.org/index.php?topic=86827.0

    Credit goes to cmb , phadm and jpenninkhof for the solution

    STEP 1 : on PfSense webconfiguration
    disabling hardware checksum offloading under System>Advanced, Networking
    checked :
    Disable hardware checksum offload
    Disable hardware TCP segmentation offload
    Disable hardware large receive offload

    Goal : disable Hardware offload on PfSense

    STEP 2 : on XenServer Console
    #xe vm-vif-list uuid=VMUUID
    #xe vif-param-set uuid=VIFUUID other-config:ethtool-tx="off"
    #xe vif-param-set uuid=VIFUUID other-config:ethtool-rx="off"

    Goal : obtain VIF UUID of LAN and WAN of the VM and disables hardware offload

    STEP 3 : Reboot VM and voila !

    all works as expected
    this seem to be a temporary solution i guess


  • Banned

    @corotte:

    got some news.

    it is related to xentools and freebsd 10.1 xn nic