Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Unable to open port 110 or 25 (did with another port)

    Firewalling
    6
    26
    2467
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      madmontero last edited by

      I've been running PF for years with little to no issues, and any that I had I found here or on the webs. But this one is stumping me  :o so it was time to create an accnt to ask a few questions.

      I did a fresh install of 2.2 on my ESXi 5.5v2 with Intel dual gig server NICs dedicated to PFsense. Everything is solid and stable.

      I needed to open a specific port for my security cam DVR.. no problem.. seem to work fine. ;D

      Now I can't seem (for the life of me) to get port 25 or 110 to open up for Outlook/pop3/smtp stuff. I even copied the SAME EXACT config for the DVR setup and port testers show up blocked. Actually ALL ports are pretty much blocked!

      I've searched high and low on the net, is this a corrupt install possibly? I was able to unblock my DVR.. why not this?

      Thanks for any help and advice!
      Jason

      P.S. In my testing I found that on the LAN rules, I could disable the 2 (which is why they are grey) and still 55039 would pass. I was just following a guide on the web that said to set it up this way.






      1 Reply Last reply Reply Quote 0
      • 2
        2chemlud Banned last edited by

        Hi!

        The first LAN Firewall rule allows EACH AND EVERYTHING, so no matter what you allow/prohibit thereafter: ALL traffic is already passed, nothing (IPv4) will care for what is in your table after line 1… simple as that ;-)

        1 Reply Last reply Reply Quote 0
        • Derelict
          Derelict LAYER 8 Netgate last edited by

          Be specific.  Start with one thing.  Exactly what port do you want open from what sources to what destination.

          I think I already said this but be specific.  Include all details, but keep it to ONE item.

          1 Reply Last reply Reply Quote 0
          • M
            madmontero last edited by

            Thanks guys (both of you) for the info. I uncheck the "Default allow LAN to any rule " to anyrule (that really kills things…  made a webspecific rule to browse and then a port 110 to check and it's still blocked!

            I then reset it all (deleted my junk-only my port 55039 which works!) and pushed "Default allow LAN to any rule " to the BOTTOM.

            Made a PORT 110 NAT RULE and WAN/LAN RULE by copying the 55039 setup... nothing.

            common webscanners show everything is blocked.

            How come I was able to unblock this 1st port but nothing there after? Should I fire up another VM and test? possible corrupted install?




            1 Reply Last reply Reply Quote 0
            • D
              doktornotor Banned last edited by

              WTH are you doing there with the LAN port forwards???

              1 Reply Last reply Reply Quote 0
              • Derelict
                Derelict LAYER 8 Netgate last edited by

                Fine.  Don't listen.  Good luck.

                1 Reply Last reply Reply Quote 0
                • H
                  hda last edited by

                  @madmontero:

                  …
                  Now I can't seem (for the life of me) to get port 25 or 110 to open up for Outlook/pop3/smtp stuff.
                  ...

                  Do you have a server listening (in) on port 25 OR does your client need to speak (out) to a port 25 ?

                  1 Reply Last reply Reply Quote 0
                  • M
                    madmontero last edited by

                    @hda:

                    @madmontero:

                    …
                    Now I can't seem (for the life of me) to get port 25 or 110 to open up for Outlook/pop3/smtp stuff.
                    ...

                    Do you have a server listening (in) on port 25 OR does your client need to speak (out) to a port 25 ?

                    A few Outlook clients that need to talk to POP/SMTP.

                    Incoming mail server pop.secureserver.net
                    Outgoing mail server (SMTP) smtpout.secureserver.net

                    These are blocked now..

                    DOK.. This is what installed by default, isn't this outgoing rule? LAN to WAN? pass all ports?

                    1 Reply Last reply Reply Quote 0
                    • D
                      doktornotor Banned last edited by

                      Dude. Put the default LAN rule back, delete the crap you created and be done. Dunno really what you are forwarding where when you are not hosting the mailserver.

                      1 Reply Last reply Reply Quote 0
                      • M
                        madmontero last edited by

                        The default LAN rule is in place! if I take out out my 55039 rule… then it stops being opened up??

                        Then what?

                        1 Reply Last reply Reply Quote 0
                        • D
                          doktornotor Banned last edited by

                          How the hell is 55039 related to the topic???

                          1 Reply Last reply Reply Quote 0
                          • M
                            madmontero last edited by

                            you said "delete the crap you created" ???

                            Let me spool up another fresh VM and try it…  :-\

                            1 Reply Last reply Reply Quote 0
                            • D
                              doktornotor Banned last edited by

                              Maybe someone else. IMNSHO, if you cannot tell WAN from LAN and client from server, you should keep your hands miles off any firewall. The default LAN rule allows all traffic go out from LAN (such as Outlook communication with mailserver on WAN). There is absolutely zero need to open anything else, to create any portforwards on LAN or any similar nonsense.

                              1 Reply Last reply Reply Quote 0
                              • H
                                hda last edited by

                                @madmontero:

                                …
                                Actually ALL ports are pretty much blocked!
                                ...

                                You do not need to open up WAN to send & pop email. So yes your ports from outside are blocked.

                                1 Reply Last reply Reply Quote 0
                                • D
                                  doktornotor Banned last edited by

                                  And BTW, you should use 587 for sending email and 995 (POP3/S) for downloading email. Not send out your credentials in plaintext. (Also, at least TCP/25 is blocked tons of ISPs.)

                                  1 Reply Last reply Reply Quote 0
                                  • M
                                    madmontero last edited by

                                    @doktornotor:

                                    Maybe someone else. IMNSHO, if you cannot tell WAN from LAN and client from server, you should keep your hands miles off any firewall. The default LAN rule allows all traffic go out from LAN (such as Outlook communication with mailserver on WAN). There is absolutely zero need to open anything else, to create any portforwards on LAN or any similar nonsense.

                                    Thanks! this is what I was looking for.. just an easy, simple explanation.

                                    As for the 587/995… They don't use this...This is from GoDaddy

                                    Next to Outgoing Server (SMTP), type 465. Click OK and click Next.
                                    If those settings don't work,repeat steps 1-3 and select None for Use the following type of encrypted connection. Try these other ports for Outgoing server (SMTP): 80, 3535, or 25

                                    HDA, thanks for the response.. again, these are just a few client machines that need to access pop/smtp email from behind the PFsense.

                                    I'll let you guys know in a bit!

                                    1 Reply Last reply Reply Quote 0
                                    • johnpoz
                                      johnpoz LAYER 8 Global Moderator last edited by

                                      agreed 25 outbound to everything other than the ISP smtp servers is blocked on many isps..  You can thank the spammers and malware/viruses that turn boxes into spam senders for that.

                                      "Incoming mail server    pop.secureserver.net
                                      Outgoing mail server (SMTP) smtpout.secureserver.net"

                                      If you have clients behind pfsense on your lan that need to talk to those servers outside pfsense, ie the internet (wan) then you have nothing to do with port forwards or specific rules if you have the default any any rule on the lan.  This allows lan clients to talk to anything on the internet, ports or protocols.

                                      If you can not talk to those servers on 25 and or 110 then talk to your ISP..  But as stated you shouldn't be using 25 or 110 to talk to that mail server outside anyway - as dok stated you should use secure methods so your username and password is not sent in the clear across the public net.  The 587 is normally allowed by isps while 25 is not.

                                      1 Reply Last reply Reply Quote 0
                                      • H
                                        hda last edited by

                                        @madmontero:

                                        Thanks! this is what I was looking for.. just an easy, simple explanation.

                                        Again, read a few easy knowhow bytes.

                                        You need the allow-rules row (2 & 3) in your Firewall: Rules LAN. And delete (1, 4 & 5)
                                        Empty Firewall: Rules Floating()

                                        IF you do not appreciate initiative from global or not serve to global, then:
                                        Empty Firewall: Rules WAN()
                                        Empty Firewall: NAT: Port Forward()

                                        1 Reply Last reply Reply Quote 0
                                        • M
                                          madmontero last edited by

                                          Thank you guys for the help! I got it working.. did exactly as you (ALL) said and everything is cool  8)

                                          I"m used to working on Sonicwall NSA's and Fortigate's but just have this running at one site and it's been fine forever until this upgrade. I thought it was corrupted.

                                          Thanks again for all your help! Even DOK  ;)

                                          1 Reply Last reply Reply Quote 0
                                          • 2
                                            2chemlud Banned last edited by

                                            Fine! :-)

                                            Would you mind sharing your firewall ruleset for a final check here?

                                            Just to confirm that all issues are fixed!

                                            1 Reply Last reply Reply Quote 0
                                            • M
                                              madmontero last edited by

                                              So here's my final config.. pretty barebone.. one thing I was going to hit up Johnpoz on or post in the VM forum is my Intel NIC card (dual GbE server) seems to just be turning off or shutting down now after some heavy use. e1000 drivers. Never did this on straight 5.5 and prev PF version. I only upgraded to U2 to run 2.2.2

                                              And just FYI.. I bought like 5 of these years back.. been working fine on my ESXi and Windows boxes. Just now it's crapping out on PFsense.

                                              Thanks!

                                              http://www.ebay.com/itm/271581912527?_trksid=p2060353.m1438.l2649&ssPageName=STRK%3AMEBIDX%3AIT

                                              P.S. I just Disable hardware checksum offload to see if that helps or does anything.








                                              1 Reply Last reply Reply Quote 0
                                              • johnpoz
                                                johnpoz LAYER 8 Global Moderator last edited by

                                                I would of named your port groups wan and lan ;)  But maybe thats just me ;)

                                                I don't have any of those specific nics, I have run both vmx3 and e1000 on it my setup currently using the e1000 because of the vmx3 has issue with reporting duplex and ladvd using to send out cdp and lldp from pfsense was having my switch saying there was a duplex mismatch, etc.

                                                What is that port forward for?  That is an ODD ball port.. Your not using Xsan are you??

                                                1 Reply Last reply Reply Quote 0
                                                • M
                                                  madmontero last edited by

                                                  I'm running a custom a NVR with Blue Iris.

                                                  As for the NIC/ESXi issue, I think maybe that card is dying out (what are the odds??) going to swap it out and see. I've been running the e1000 driver on those cheap Chinese units without issue. Also tested in passthrough as well.

                                                  To find a deal on PCI-e Intel server cards is hard  :(

                                                  1 Reply Last reply Reply Quote 0
                                                  • johnpoz
                                                    johnpoz LAYER 8 Global Moderator last edited by

                                                    And why would you have that open to the public net??  Doesn't seem like a good idea to me to allow public access to video cameras in my home ;)

                                                    Why would you not just vpn in if you wan to view the video while remote?

                                                    42$ seems like a pretty good price to me
                                                    http://www.amazon.com/Intel-1000-Dual-Server-Adapter/dp/B000BMZHX2

                                                    1 Reply Last reply Reply Quote 0
                                                    • M
                                                      madmontero last edited by

                                                      It's not a home, and that doesn't allow access to the cameras. It's for admin access only. The camera access are on a internal vlan that only a few have access to. no outside access.

                                                      Thanks for the link! I ordered a few off Ebay, Both PCI and PCIe  ;)

                                                      1 Reply Last reply Reply Quote 0
                                                      • johnpoz
                                                        johnpoz LAYER 8 Global Moderator last edited by

                                                        work/home - I wouldn't be allowing access to NVR eitherway

                                                        VPN to access anything of that sort..  If you don't want the public to access it "It's for admin access only" then should be through a vpn.

                                                        1 Reply Last reply Reply Quote 0
                                                        • First post
                                                          Last post

                                                        Products

                                                        • Platform Overview
                                                        • TNSR
                                                        • pfSense Plus
                                                        • Appliances

                                                        Services

                                                        • Training
                                                        • Professional Services

                                                        Support

                                                        • Subscription Plans
                                                        • Contact Support
                                                        • Product Lifecycle
                                                        • Documentation

                                                        News

                                                        • Media Coverage
                                                        • Press
                                                        • Events

                                                        Resources

                                                        • Blog
                                                        • FAQ
                                                        • Find a Partner
                                                        • Resource Library
                                                        • Security Information

                                                        Company

                                                        • About Us
                                                        • Careers
                                                        • Partners
                                                        • Contact Us
                                                        • Legal
                                                        Our Mission

                                                        We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                                                        Subscribe to our Newsletter

                                                        Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                                                        © 2021 Rubicon Communications, LLC | Privacy Policy