Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Port Forwarding

    Scheduled Pinned Locked Moved General pfSense Questions
    16 Posts 4 Posters 3.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S Offline
      Serra
      last edited by

      I'm unable to get port forwarding to work at all for two different computers and one device.  It is driving me nuts.

      Basically, if I used my old router, the existing port forwarding works fine.  I swap in the pfsense router and it doesn't.  I assume something is wrong with the way I'm doing it.

      So, I guess my simple first question would be, if I "Disable all packet filtering", that turns off the firewall completely.  So, port forwarding isn't used, since no inbound connections are blocked.

      If I "Disable all packet filtering" and my device still doesn't work, its safe to assume that my port forwarding setup isn't the issue and I have an issue else where?  In the past on other systems, I've verified that the device works by disabling the firewall, checking the device and then enabling the firewall and working on the forwarding.  In this case, it doesn't seem to work.  So should it?

      1 Reply Last reply Reply Quote 0
      • johnpozJ Online
        johnpoz LAYER 8 Global Moderator
        last edited by

        What are you forwarding?  What is the ip on the pfsense wan is in rfc1918 or public, the IP you would hit, that you want to forward to some other IP on your lan that is a rfc1918 address..  Is your pfsense behind a NAT??  if pfsense wan is say 192.168.0.1/24 and you want to forward 80 to 192.168.1.100/24 on your lan.

        If your hitting 192.168.0.1 you would have to disable the default wan rule of block rfc1918

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • S Offline
          Serra
          last edited by

          I have a debugging software (PHPed) that communicates with a server on port 7869.  The software needs that port to be open so it can get information back from the server.

          So, my device at 198.162.0.10 needs to have access to incoming information on port 7869.  The actual port number isn't important, it can be changed, 7869 is just the default.

          The pfsense box is connected via a bridge to the Internet, so it is handling everything.

          1 Reply Last reply Reply Quote 0
          • DerelictD Offline
            Derelict LAYER 8 Netgate
            last edited by

            https://doc.pfsense.org/index.php/How_can_I_forward_ports_with_pfSense

            You probably want:

            Interface: WAN
            Protocol: TCP
            Source: Leave this alone
            Destination: WAN address
            Destination Port Range: 7869
            Redirect Target IP: 192.168.0.10 (I'm assuming 198.162.0.10 is a mistake)
            Redirect Target Port: 7869
            No XMLRPC Sync: unchecked
            NAT Reflection: Use system default
            Description: PHPed
            Filter rule association: Let it add one/Use what's already added.

            The associated filter rule should show up on Firewall > Rules, WAN tab.  You will only be able to edit values that are not set by the NAT entry.  Edit the NAT entry to change the locked values.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • S Offline
              Serra
              last edited by

              Sorry, just got back from a meeting doing too many things at once, yes, 192.168.0.10…

              However, those are the settings I used, no luck.  I tried two devices on two computers (with their own settings in the firewall on slightly different ports) to eliminate anything on the computer (though it works fine with the old router).

              The firewall and NAT settings both looked fine when it was set.

              Can anyone confirm that if I turn on "Disable all packet filtering", anything can go through the firewall without forwarding.

              One more thing I noticed.  I went the other route (removed the forwards) and turned on UPNP and it didn't work either, but the UPNP status showed all of the proper ports were open.  I've not used UPNP much, but I was under the impression that it was somewhat fool proof.  Just turn it on and the ports magically open and since they were listed properly, what could be the issue?

              1 Reply Last reply Reply Quote 0
              • DerelictD Offline
                Derelict LAYER 8 Netgate
                last edited by

                You don't need to do anything like disable all packet filtering.  This just works when it's configured correctly.

                Do all this and report back.

                https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • S Offline
                  Serra
                  last edited by

                  I did all of that except running the tcpdump, seemed like overkill.  I'll do that and see what is up.  I'll post back when I get a chance to test that.

                  1 Reply Last reply Reply Quote 0
                  • DerelictD Offline
                    Derelict LAYER 8 Netgate
                    last edited by

                    Sorry, but if you did all that it would be working.

                    Triple check the config/firewall/network mode on the target host.

                    Chattanooga, Tennessee, USA
                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    1 Reply Last reply Reply Quote 0
                    • DerelictD Offline
                      Derelict LAYER 8 Netgate
                      last edited by

                      Basically, if I used my old router, the existing port forwarding works fine.  I swap in the pfsense router and it doesn't.

                      You're talking replacing, not putting pfSense in between the old router and target host, right?  You're getting a public IP address from the ISP on pfSense WAN right?

                      Chattanooga, Tennessee, USA
                      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                      1 Reply Last reply Reply Quote 0
                      • S Offline
                        Serra
                        last edited by

                        Correct.  Ok, just tested again and went over the questions

                        1. NAT and firewall rules not correctly added (see How can I forward ports with pfSense?)

                        CHECK

                        2. Firewall enabled on client machine

                        WIDOWS FIREWALL HAS EXCEPTION FOR PHPED.  WORKS FINE FOR OLD ROUTER.

                        3. Client machine is not using pfSense as its default gateway

                        CHECK DEFAULT GATEWAY

                        4. Client machine not actually listening on the port being forwarded

                        CHECK, TESTED DEBUGGER

                        5. ISP or something upstream of pfSense is blocking the port being forwarded

                        WORKS FINE WITH OLD ROUTER

                        6. Trying to test from inside the local network, need to test from an outside machine

                        WEBSERVER IS OUTSIDE THE NETWORK AND REPORTS IT CAN'T CONNECT TO IP.

                        7. Incorrect or missing Virtual IP configuration for additional public IP addresses

                        NO VIRUTAL IPS

                        8. The pfSense router is not the border router. If there is something else between pfSense and the ISP, the port forwards and associated rules must be replicated there.

                        PC - ROUTER - <bridge>- INTERNET

                        9. Forwarding ports to a server behind a Captive Portal. An IP bypass must be added both to and from the server's IP in order for a port forward to work behind a Captive Portal.

                        NO CAPTIVE PORTAL

                        10. If this is on a WAN that is not the default gateway, make sure there is a gateway chosen on this WAN interface, or the firewall rules for the port forward would not reply back via the correct gateway.

                        DEFAULT GATEWAY

                        14. WAN rules should NOT have a gateway set, so make sure that the rules for the port forward do NOT have a gateway configured on the actual rule.

                        NO GATEWAY SET.

                        15. If the traffic appears to be forwarding in to an unexpected device, it may be happening due to UPnP. Check Status > UPnP to see if an internal service has configured a port forward unexpectedly. If so, disable UPnP on either that device or on the firewall.

                        UPNP IS OFF</bridge>

                        1 Reply Last reply Reply Quote 0
                        • KOMK Offline
                          KOM
                          last edited by

                          Nothing of note in Status - System logs - Firewall that has to do with any of this?

                          1 Reply Last reply Reply Quote 0
                          • DerelictD Offline
                            Derelict LAYER 8 Netgate
                            last edited by

                            And what states are created.  PM me your public IP and I'll see what happens from here.  These things can be easily tested with telnet.

                            Chattanooga, Tennessee, USA
                            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                            Do Not Chat For Help! NO_WAN_EGRESS(TM)

                            1 Reply Last reply Reply Quote 0
                            • johnpozJ Online
                              johnpoz LAYER 8 Global Moderator
                              last edited by

                              And your not running a local security software or firewall on this box?  Simple enough to test with simple sniff to see if that traffic ever hits pfsense, and is forward to where you want to forward it.  Really is a 3 second check..

                              An intelligent man is sometimes forced to be drunk to spend time with his fools
                              If you get confused: Listen to the Music Play
                              Please don't Chat/PM me for help, unless mod related
                              SG-4860 24.11 | Lab VMs 2.8, 24.11

                              1 Reply Last reply Reply Quote 0
                              • S Offline
                                Serra
                                last edited by

                                Thanks for all the help.  I knew that you'd push me in the right direction.  When illogical things are happening, sometime you have to reexamine things from a different angle.

                                Turns out there were two issue I was having that prevented me from finding the problem.  First I was too lazy to type "yum telnet install" on my external server so I could use telnet.

                                Once I did that, I found that no traffic was making it through to the pfsense box at all.

                                That lead me back to the useless and painfully restrictive ATT router I'm forced to use as a bridge.  I have limited access  to it because it is outside of my network in bridge mode.  The only way to access it is via my laptop.  I looked at it yesterday, but after about 10 minutes, Windows forced a reboot and started updating.  I gave up waiting for it after about 30 minutes.  Today, I gave it another 30 minutes of updating and inspected the firewall.    For some unknown reason, the IP passthrough had jumped to my security system, rather than the pfsense router.  So pfsense was again behind its firewall.  Once I disabled that (again), the ports opened right up.

                                So, the final question, in the ATT router, it showed two pfsense routers with different MACs.  However, it didn't show pfsense having been assigned an IP address.  Since I haven't set the MAC or changed it, that makes me wonder:

                                If I don't manually put in a MAC for the pfsense box, it will use its assigned internal MAC and not create a random MAC correct?

                                1 Reply Last reply Reply Quote 0
                                • johnpozJ Online
                                  johnpoz LAYER 8 Global Moderator
                                  last edited by

                                  if its physical hardware it would use that mac on that interface, unless you went in and changed it or did some sort of clone in pfsense.  If its running on virtual then it could create new virtual mac if you did something in the setup, etc.

                                  So see a 2 second sniff on the wan in pfsense would of told you that traffic wasn't get there, and looking to validate your wan was the IP you thought it was suppose to be is another valid check ;)

                                  Glad you got it sorted.  It tried firing up that software this morning and couldn't figure out how to get the debugger tester you showed running.

                                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                                  If you get confused: Listen to the Music Play
                                  Please don't Chat/PM me for help, unless mod related
                                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                                  1 Reply Last reply Reply Quote 0
                                  • S Offline
                                    Serra
                                    last edited by

                                    @johnpoz:

                                    if its physical hardware it would use that mac on that interface, unless you went in and changed it or did some sort of clone in pfsense.  If its running on virtual then it could create new virtual mac if you did something in the setup, etc.

                                    Yes, it is physical hardware, so that is good.

                                    @johnpoz:

                                    So see a 2 second sniff on the wan in pfsense would of told you that traffic wasn't get there, and looking to validate your wan was the IP you thought it was suppose to be is another valid check ;)

                                    Knowing it isn't there and being actually able to see it are two different things.  There is a lot of information and I'm brand new to pfsense, so actually finding it, was difficult.  New tools are the hardest to use.

                                    @johnpoz:

                                    Glad you got it sorted.  It tried firing up that software this morning and couldn't figure out how to get the debugger tester you showed running.

                                    Yea, welcome to the hardest to setup software in the world!  It is better now than a few years ago, but I've setup at least 100 accounts in PHPed and I still use a cheat sheet.  Once you get the account setup, then there is also a component that must be installed into PHP on the web server and php.ini needs to be updated with the ports and IP of the users.  Its rather a pain to setup.  Once setup, it is amazing.  I can't live without it.  The ability to step line by line through a PHP program is very helpful when there is a strange bug.  Plus the code prefill and highlighting are very helpful.  For example, if you create a variable called $rec_num, next time you type $rec it prefills $rec_num.  That really cuts down on typos.

                                    1 Reply Last reply Reply Quote 0
                                    • First post
                                      Last post
                                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.