Network goes down when ports are opened



  • Hi All,

    I'm new to PFsense (I just switched from Untangle a few days ago). First off, I want to say that I love PFsense so far  ;D and the problem that I'm having doesn't bother me when I consider the flexibility that it offers me (even that I'm sure that this is because of some error on my part during setup).

    I'm not entirely sure how to explain the problem that I'm having, but I have about 16-17 ports open right now, and when I try to open or close a port on my PFsense router all the traffic on the network stops and I'm unable to access the router or the internet from any computer that's on the network. I'm not sure if this is the problem or not, but I do have multiple aliases that point to the same IP address (I have multiple services running on the same server and I decided to organize my rules that way).

    Between my PFsense router and the internet is a router that we got from our ISP to connect to the internet. I set the DMZ of the router to point to my PFsense box (port forwarding on the ISP router is to restrictive for me). Behind the PFsense router I have 3 servers and a WIFI router (this is where my laptop and desktop connect to the network).

    I don't know if this helps, but my PFsense router has a 1.80GHz Pentium 4, 863 MB of RAM, 40GB hard drive, and two 10GB/s network cards in it (one for the WAN and one for the LAN).

    Sorry if I post this in the wrong section.



  • Just an Update:

    I just changed the aliases so it doesn't have multiple names for the same computer. I will post again if this fixes it.



  • opening what ports on what interface and why ? is NAT involved in a way ? can you still ping pfsense from inside the lan when this happens?
    anything in the logs?



  • There are 3 routers that handle NAT, the router that our ISP gave us (the first router that our internet goes though), then the PFsense router which has the VPN server (as well as several other servers) and a wireless router. That wireless router also handles NAT (our network printer and the Desktop that I used to configure PFsense is connected to this). I know this is not the cleanest setup, but there is a reason why I have it setup this way.

    The first time that the router stopped working was when I was opening the ports for my network printer so it could be accessed from another network, the ports that I needed for that where TCP/UDP port 51, TCP/UDP port 631, and TCP 9100. These ports where forwarded to point to the router behind it (the wireless router) which has the same ports open so we can print from nearly any network in the house. (Again, this is not the cleanest setup by any means.)

    The second time that the router stopped working was when I was opening ports for my VPN server that uses L2TP for that I opened UDP port 500, UDP port 4500, and the protocol ESP. In all the port forwards I used the WAN interface.

    I honestly don't remember if I was able to ping the PFsense router from inside the LAN when the network stops working, but I since the 2 days ago when I changed the aliases so there aren't multiple aliases pointing to the same IP address, I have not seen the problem again (however, I have not needed to create as many port forwards as I did when I first got the router).

    I didn't find anything that was very alarming in the logs.


  • LAYER 8 Netgate

    Eliminating two out of three NATs would be my first step toward fixing your network.



  • These ports where forwarded to point to the router behind it (the wireless router) which has the same ports open so we can print from nearly any network in the house. (Again, this is not the cleanest setup by any means.)

    Getting rid of this NAT-router-device is a 5 minute job. Pretend it is not a router, do NOT connect a cable to its WAN port. Connect a cable from your pfSense LAN switch to a LAN port of the WiFi device. Turn off any DHCP on the device. Let anything connected to that WiFi get DHCP from pfSense. Those devices will work just like all other devices on the pfSense LAN.

    Once that is done, then think about how to put the front-end ISP-router device into bridge mode…



  • Thanks you so much for your reply! I did what you said, and now the network is cleaner. Unfortunately I'm not able to put our ISP gateway in any sort of "Bridge mode" but the DMZ setting on it is set to my PFsense box (so the ISP router will stop blocking ports) and I setup a static IP address on the adapter that is facing the ISP router.


Log in to reply