Unable to open port 110 or 25 (did with another port)
-
I've been running PF for years with little to no issues, and any that I had I found here or on the webs. But this one is stumping me :o so it was time to create an accnt to ask a few questions.
I did a fresh install of 2.2 on my ESXi 5.5v2 with Intel dual gig server NICs dedicated to PFsense. Everything is solid and stable.
I needed to open a specific port for my security cam DVR.. no problem.. seem to work fine. ;D
Now I can't seem (for the life of me) to get port 25 or 110 to open up for Outlook/pop3/smtp stuff. I even copied the SAME EXACT config for the DVR setup and port testers show up blocked. Actually ALL ports are pretty much blocked!
I've searched high and low on the net, is this a corrupt install possibly? I was able to unblock my DVR.. why not this?
Thanks for any help and advice!
JasonP.S. In my testing I found that on the LAN rules, I could disable the 2 (which is why they are grey) and still 55039 would pass. I was just following a guide on the web that said to set it up this way.
-
Hi!
The first LAN Firewall rule allows EACH AND EVERYTHING, so no matter what you allow/prohibit thereafter: ALL traffic is already passed, nothing (IPv4) will care for what is in your table after line 1… simple as that ;-)
-
Be specific. Start with one thing. Exactly what port do you want open from what sources to what destination.
I think I already said this but be specific. Include all details, but keep it to ONE item.
-
Thanks guys (both of you) for the info. I uncheck the "Default allow LAN to any rule " to anyrule (that really kills things… made a webspecific rule to browse and then a port 110 to check and it's still blocked!
I then reset it all (deleted my junk-only my port 55039 which works!) and pushed "Default allow LAN to any rule " to the BOTTOM.
Made a PORT 110 NAT RULE and WAN/LAN RULE by copying the 55039 setup... nothing.
common webscanners show everything is blocked.
How come I was able to unblock this 1st port but nothing there after? Should I fire up another VM and test? possible corrupted install?
-
WTH are you doing there with the LAN port forwards???
-
Fine. Don't listen. Good luck.
-
…
Now I can't seem (for the life of me) to get port 25 or 110 to open up for Outlook/pop3/smtp stuff.
...Do you have a server listening (in) on port 25 OR does your client need to speak (out) to a port 25 ?
-
@hda:
…
Now I can't seem (for the life of me) to get port 25 or 110 to open up for Outlook/pop3/smtp stuff.
...Do you have a server listening (in) on port 25 OR does your client need to speak (out) to a port 25 ?
A few Outlook clients that need to talk to POP/SMTP.
Incoming mail server pop.secureserver.net
Outgoing mail server (SMTP) smtpout.secureserver.netThese are blocked now..
DOK.. This is what installed by default, isn't this outgoing rule? LAN to WAN? pass all ports?
-
Dude. Put the default LAN rule back, delete the crap you created and be done. Dunno really what you are forwarding where when you are not hosting the mailserver.
-
The default LAN rule is in place! if I take out out my 55039 rule… then it stops being opened up??
Then what?
-
How the hell is 55039 related to the topic???
-
you said "delete the crap you created" ???
Let me spool up another fresh VM and try it… :-\
-
Maybe someone else. IMNSHO, if you cannot tell WAN from LAN and client from server, you should keep your hands miles off any firewall. The default LAN rule allows all traffic go out from LAN (such as Outlook communication with mailserver on WAN). There is absolutely zero need to open anything else, to create any portforwards on LAN or any similar nonsense.
-
…
Actually ALL ports are pretty much blocked!
...You do not need to open up WAN to send & pop email. So yes your ports from outside are blocked.
-
And BTW, you should use 587 for sending email and 995 (POP3/S) for downloading email. Not send out your credentials in plaintext. (Also, at least TCP/25 is blocked tons of ISPs.)
-
Maybe someone else. IMNSHO, if you cannot tell WAN from LAN and client from server, you should keep your hands miles off any firewall. The default LAN rule allows all traffic go out from LAN (such as Outlook communication with mailserver on WAN). There is absolutely zero need to open anything else, to create any portforwards on LAN or any similar nonsense.
Thanks! this is what I was looking for.. just an easy, simple explanation.
As for the 587/995… They don't use this...This is from GoDaddy
Next to Outgoing Server (SMTP), type 465. Click OK and click Next.
If those settings don't work,repeat steps 1-3 and select None for Use the following type of encrypted connection. Try these other ports for Outgoing server (SMTP): 80, 3535, or 25HDA, thanks for the response.. again, these are just a few client machines that need to access pop/smtp email from behind the PFsense.
I'll let you guys know in a bit!
-
agreed 25 outbound to everything other than the ISP smtp servers is blocked on many isps.. You can thank the spammers and malware/viruses that turn boxes into spam senders for that.
"Incoming mail server pop.secureserver.net
Outgoing mail server (SMTP) smtpout.secureserver.net"If you have clients behind pfsense on your lan that need to talk to those servers outside pfsense, ie the internet (wan) then you have nothing to do with port forwards or specific rules if you have the default any any rule on the lan. This allows lan clients to talk to anything on the internet, ports or protocols.
If you can not talk to those servers on 25 and or 110 then talk to your ISP.. But as stated you shouldn't be using 25 or 110 to talk to that mail server outside anyway - as dok stated you should use secure methods so your username and password is not sent in the clear across the public net. The 587 is normally allowed by isps while 25 is not.
-
Thanks! this is what I was looking for.. just an easy, simple explanation.
Again, read a few easy knowhow bytes.
You need the allow-rules row (2 & 3) in your Firewall: Rules LAN. And delete (1, 4 & 5)
Empty Firewall: Rules Floating()IF you do not appreciate initiative from global or not serve to global, then:
Empty Firewall: Rules WAN()
Empty Firewall: NAT: Port Forward() -
Thank you guys for the help! I got it working.. did exactly as you (ALL) said and everything is cool 8)
I"m used to working on Sonicwall NSA's and Fortigate's but just have this running at one site and it's been fine forever until this upgrade. I thought it was corrupted.
Thanks again for all your help! Even DOK ;)
-
Fine! :-)
Would you mind sharing your firewall ruleset for a final check here?
Just to confirm that all issues are fixed!