Unable to open port 110 or 25 (did with another port)



  • I've been running PF for years with little to no issues, and any that I had I found here or on the webs. But this one is stumping me  :o so it was time to create an accnt to ask a few questions.

    I did a fresh install of 2.2 on my ESXi 5.5v2 with Intel dual gig server NICs dedicated to PFsense. Everything is solid and stable.

    I needed to open a specific port for my security cam DVR.. no problem.. seem to work fine. ;D

    Now I can't seem (for the life of me) to get port 25 or 110 to open up for Outlook/pop3/smtp stuff. I even copied the SAME EXACT config for the DVR setup and port testers show up blocked. Actually ALL ports are pretty much blocked!

    I've searched high and low on the net, is this a corrupt install possibly? I was able to unblock my DVR.. why not this?

    Thanks for any help and advice!
    Jason

    P.S. In my testing I found that on the LAN rules, I could disable the 2 (which is why they are grey) and still 55039 would pass. I was just following a guide on the web that said to set it up this way.







  • Banned

    Hi!

    The first LAN Firewall rule allows EACH AND EVERYTHING, so no matter what you allow/prohibit thereafter: ALL traffic is already passed, nothing (IPv4) will care for what is in your table after line 1… simple as that ;-)


  • Netgate

    Be specific.  Start with one thing.  Exactly what port do you want open from what sources to what destination.

    I think I already said this but be specific.  Include all details, but keep it to ONE item.



  • Thanks guys (both of you) for the info. I uncheck the "Default allow LAN to any rule " to anyrule (that really kills things…  made a webspecific rule to browse and then a port 110 to check and it's still blocked!

    I then reset it all (deleted my junk-only my port 55039 which works!) and pushed "Default allow LAN to any rule " to the BOTTOM.

    Made a PORT 110 NAT RULE and WAN/LAN RULE by copying the 55039 setup... nothing.

    common webscanners show everything is blocked.

    How come I was able to unblock this 1st port but nothing there after? Should I fire up another VM and test? possible corrupted install?





  • Banned

    WTH are you doing there with the LAN port forwards???


  • Netgate

    Fine.  Don't listen.  Good luck.



  • @madmontero:


    Now I can't seem (for the life of me) to get port 25 or 110 to open up for Outlook/pop3/smtp stuff.
    ...

    Do you have a server listening (in) on port 25 OR does your client need to speak (out) to a port 25 ?



  • @hda:

    @madmontero:


    Now I can't seem (for the life of me) to get port 25 or 110 to open up for Outlook/pop3/smtp stuff.
    ...

    Do you have a server listening (in) on port 25 OR does your client need to speak (out) to a port 25 ?

    A few Outlook clients that need to talk to POP/SMTP.

    Incoming mail server pop.secureserver.net
    Outgoing mail server (SMTP) smtpout.secureserver.net

    These are blocked now..

    DOK.. This is what installed by default, isn't this outgoing rule? LAN to WAN? pass all ports?


  • Banned

    Dude. Put the default LAN rule back, delete the crap you created and be done. Dunno really what you are forwarding where when you are not hosting the mailserver.



  • The default LAN rule is in place! if I take out out my 55039 rule… then it stops being opened up??

    Then what?


  • Banned

    How the hell is 55039 related to the topic???



  • you said "delete the crap you created" ???

    Let me spool up another fresh VM and try it…  :-\


  • Banned

    Maybe someone else. IMNSHO, if you cannot tell WAN from LAN and client from server, you should keep your hands miles off any firewall. The default LAN rule allows all traffic go out from LAN (such as Outlook communication with mailserver on WAN). There is absolutely zero need to open anything else, to create any portforwards on LAN or any similar nonsense.



  • @madmontero:


    Actually ALL ports are pretty much blocked!
    ...

    You do not need to open up WAN to send & pop email. So yes your ports from outside are blocked.


  • Banned

    And BTW, you should use 587 for sending email and 995 (POP3/S) for downloading email. Not send out your credentials in plaintext. (Also, at least TCP/25 is blocked tons of ISPs.)



  • @doktornotor:

    Maybe someone else. IMNSHO, if you cannot tell WAN from LAN and client from server, you should keep your hands miles off any firewall. The default LAN rule allows all traffic go out from LAN (such as Outlook communication with mailserver on WAN). There is absolutely zero need to open anything else, to create any portforwards on LAN or any similar nonsense.

    Thanks! this is what I was looking for.. just an easy, simple explanation.

    As for the 587/995… They don't use this...This is from GoDaddy

    Next to Outgoing Server (SMTP), type 465. Click OK and click Next.
    If those settings don't work,repeat steps 1-3 and select None for Use the following type of encrypted connection. Try these other ports for Outgoing server (SMTP): 80, 3535, or 25

    HDA, thanks for the response.. again, these are just a few client machines that need to access pop/smtp email from behind the PFsense.

    I'll let you guys know in a bit!


  • Rebel Alliance Global Moderator

    agreed 25 outbound to everything other than the ISP smtp servers is blocked on many isps..  You can thank the spammers and malware/viruses that turn boxes into spam senders for that.

    "Incoming mail server    pop.secureserver.net
    Outgoing mail server (SMTP) smtpout.secureserver.net"

    If you have clients behind pfsense on your lan that need to talk to those servers outside pfsense, ie the internet (wan) then you have nothing to do with port forwards or specific rules if you have the default any any rule on the lan.  This allows lan clients to talk to anything on the internet, ports or protocols.

    If you can not talk to those servers on 25 and or 110 then talk to your ISP..  But as stated you shouldn't be using 25 or 110 to talk to that mail server outside anyway - as dok stated you should use secure methods so your username and password is not sent in the clear across the public net.  The 587 is normally allowed by isps while 25 is not.



  • @madmontero:

    Thanks! this is what I was looking for.. just an easy, simple explanation.

    Again, read a few easy knowhow bytes.

    You need the allow-rules row (2 & 3) in your Firewall: Rules LAN. And delete (1, 4 & 5)
    Empty Firewall: Rules Floating()

    IF you do not appreciate initiative from global or not serve to global, then:
    Empty Firewall: Rules WAN()
    Empty Firewall: NAT: Port Forward()



  • Thank you guys for the help! I got it working.. did exactly as you (ALL) said and everything is cool  8)

    I"m used to working on Sonicwall NSA's and Fortigate's but just have this running at one site and it's been fine forever until this upgrade. I thought it was corrupted.

    Thanks again for all your help! Even DOK  ;)


  • Banned

    Fine! :-)

    Would you mind sharing your firewall ruleset for a final check here?

    Just to confirm that all issues are fixed!



  • So here's my final config.. pretty barebone.. one thing I was going to hit up Johnpoz on or post in the VM forum is my Intel NIC card (dual GbE server) seems to just be turning off or shutting down now after some heavy use. e1000 drivers. Never did this on straight 5.5 and prev PF version. I only upgraded to U2 to run 2.2.2

    And just FYI.. I bought like 5 of these years back.. been working fine on my ESXi and Windows boxes. Just now it's crapping out on PFsense.

    Thanks!

    http://www.ebay.com/itm/271581912527?_trksid=p2060353.m1438.l2649&ssPageName=STRK%3AMEBIDX%3AIT

    P.S. I just Disable hardware checksum offload to see if that helps or does anything.









  • Rebel Alliance Global Moderator

    I would of named your port groups wan and lan ;)  But maybe thats just me ;)

    I don't have any of those specific nics, I have run both vmx3 and e1000 on it my setup currently using the e1000 because of the vmx3 has issue with reporting duplex and ladvd using to send out cdp and lldp from pfsense was having my switch saying there was a duplex mismatch, etc.

    What is that port forward for?  That is an ODD ball port.. Your not using Xsan are you??



  • I'm running a custom a NVR with Blue Iris.

    As for the NIC/ESXi issue, I think maybe that card is dying out (what are the odds??) going to swap it out and see. I've been running the e1000 driver on those cheap Chinese units without issue. Also tested in passthrough as well.

    To find a deal on PCI-e Intel server cards is hard  :(


  • Rebel Alliance Global Moderator

    And why would you have that open to the public net??  Doesn't seem like a good idea to me to allow public access to video cameras in my home ;)

    Why would you not just vpn in if you wan to view the video while remote?

    42$ seems like a pretty good price to me
    http://www.amazon.com/Intel-1000-Dual-Server-Adapter/dp/B000BMZHX2



  • It's not a home, and that doesn't allow access to the cameras. It's for admin access only. The camera access are on a internal vlan that only a few have access to. no outside access.

    Thanks for the link! I ordered a few off Ebay, Both PCI and PCIe  ;)


  • Rebel Alliance Global Moderator

    work/home - I wouldn't be allowing access to NVR eitherway

    VPN to access anything of that sort..  If you don't want the public to access it "It's for admin access only" then should be through a vpn.