Port forwarding not working (2.2.3)
-
Hi,
I have a DVR behind the Pfsense box and I can view the camera on web browsers or its app on LAN without any problems. However when i try to access the DVR from WAN, I could not reach it. I have 2 NAT rules attached.
Can anyone please have a look and see what's wrong here ? thanks -
The screenshots
-
You might try turning on logging for the redirect rule and see if pfSense even sees the attempt on Port 80.
Some ISP's block incoming port 80 traffic. You may have to redirect from some other external port # to port 80 internally.Are you sure you're redirecting ALL the ports for your DVR?
What make/model of DVR are you using?How is your pfSense box connected to the internet, through a modem or through another modem/router?
If the latter, you have double NAT to worry about. -
It is quite possible your isp blocks inbound to 80..
Dude you hid your wan rule that allows access to pfsense, but you you have the dyndns name and port right in the first screenshot ;) Why do you have pfsense open to the public net?? Not a good idea, better to vpn in or ssh with public key auth and then tunnel to your web gui, etc..
Does whatever your forwarding too even have gateway setup? Does it have a firewall?
https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting
-
thanks for the replies.
i have tried custom port like 3456 .. same thing, doesnt work !
pfsense connect directly to internet on WAN port ..
about securities issues, i won't care much about it. The pfsense box connect to internet and provide captive portal internet access for a small cafe shop!
no file server or data whatsoever behind the Sense box so if anyone bother to hack it, i would not bother anyway as there is nothing for them!
the DVR is Questek . -
If you turn on logging, can you see the attempts reaching the pfSense box?
-
i had a look in Status: System logs: Firewall and did not see the IP i use to connect to the Sense box. should it be in there by default ? or do i need to turn on a setting first ? thanks
-
If you look at the NAT rule's "Filter rule association" on the absolutely horrible screenshots, well… that certainly does not match the WAN rule. What are you doing there with the "Pass" thing? Delete the NAT rule, delete the WAN rule. Recreate the NAT rule, leave that thing at default. Which is Add associated filter rule. There's exactly zero need to mess with the default value for like 99% of cases.
If that does not work, produce some packet captures and see whether the traffic is reaching the FW at all.
-
If you look at the NAT rule's "Filter rule association" on the absolutely horrible screenshots, well… that certainly does not match the WAN rule. What are you doing there with the "Pass" thing? Delete the NAT rule, delete the WAN rule. Recreate the NAT rule, leave that thing at default. Which is Add associated filter rule. There's exactly zero need to mess with the default value for like 99% of cases.
If that does not work, produce some packet captures and see whether the traffic is reaching the FW at all.
thank you for clearing some stuff for me.. i redid it just like what you said, but still cannot reach the DVR from WAN. My ISP confirm not blocking any ports.
-
Whats your public IP and do you block private networks on WAN??
-
As noted above - Diagnostics - Packet Capture.
-
Whats your public IP and do you block private networks on WAN??
no i dont block private networks
 -
As noted above - Diagnostics - Packet Capture.
here is the Packet Cap:
17:08:10.564104 IP 118.69.32.168.56244 > 1.54.108.71.80: tcp 0
17:08:11.561775 IP 118.69.32.168.56244 > 1.54.108.71.80: tcp 0
17:08:13.566616 IP 118.69.32.168.56244 > 1.54.108.71.80: tcp 0 -
does anyone have any idea why this ís not working ?? :-\
-
Looks like your pfSense box is passing the traffic just fine.
What do you have between your box and the camera DVR?
-
So you know the traffic is making it to WAN. Now turn on logging on the WAN firewall rule (The one NAT auto-created) and see what that shows in the firewall log.
And one more time for good measure:
https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting
-
nothing between the Sense box and PVR
I can access the DVR from LAN no problems ! -
"I can access the DVR from LAN no problems !"
And does your DVR know how to get off the LAN, does it have a gateway set.. Network devices can talk on their own network without any need for a gateway. But when your coming from an internet IP with a port forward, they have to know how to get off their network - ie a gateway (pfsense lan IP)
-
"I can access the DVR from LAN no problems !"
And does your DVR know how to get off the LAN, does it have a gateway set.. Network devices can talk on their own network without any need for a gateway. But when your coming from an internet IP with a port forward, they have to know how to get off their network - ie a gateway (pfsense lan IP)
yes, i have assigned the DVR a static IP address togather with a gateway address (which is the Sense LAN IP)
-
well if pfsense is sending on the traffic? as you see in a lan sniff are you seeing the answer?
These issues are really 10 seconds to troubleshoot – basic 101 networking.. Is the traffic seen on wan? Does it get sent out the lan to the correct IP.. Do you see a response?
I can assure there is no issues with port forwarding in 2.2.3 nor 2.2.4 -- nor do I recall any issues with port forwarding going back to the first version of pfsense I used like 1.2.3
issues with port forwarding are not setup correctly, traffic never gets to pfsense to forward. Device doesn't answer or has firewall.
the required steps to troubleshoot are clearly laidout in the troubleshooting port forwards doc linked too.
You saw traffic on your wan, but I don't see sniff on pfsense lan showing that traffic sent or not. Please post your port forward rules and your wan firewall rules.
And tell us what IP your trying to send too, etc.