Firewall Blocking ports from outside world



    1. I have installed PfSense firewall
    2. Enabled NAT in Firewall
    3. I have installed Openfire chat server in Local Area Network and LAN connected to Firewall
    4. And I posted Chat server in to worldwide with example.chat.com
    5. I am using Spark client to connect Openfire chat server
    6. I am able to connect chat server using spark from local LAN
    7. What is the probelm is I am not able to connect chat server from outside
    8. I have checked ports also, when I check port connectivity every port is open for first time, from 2nd time onwards every port showing  close again after 30 mins it will showing open and again its closed.
    9. I am not able to troubleshoot the problem from past 2 months, I have tried more options but still I am not able to login from outside world.

    Can you please help me any one regarding this…

    Thanks in advance…
    Srinivas



  • Perhaps Port Forwards? https://doc.pfsense.org/index.php/How_can_I_forward_ports_with_pfSense

    If you have port(s) forwarded, perhaps posting your rules might help, including what version of pfsense you are using, as its not good to assume when dealing with computer security.



  • Hi, thanks for the reply. NAT config looks to be OK as it works for other services fine.

    ive enabled logging and system logs shows traffic is passed to the target server. However when doing an online port check, first attempt, it reports as open and subsequent attempts reports as closed.

    nat rule

    WAN1 TCP/UDP * * 180.xxx.xx.xx 5222 192.168.1.13 5222 open openfire out

    –----------- version -----------------
    2.2.2-RELEASE (i386)
    built on Mon Apr 13 20:10:33 CDT 2015
    FreeBSD 10.1-RELEASE-p9

    From internal Lan, all is well.



  • What do you see if you packet capture the wan side? Capture everything in and out so you can see the first connection made to the port and then the subsequent blocks.

    Then reset & repeat exactly as above but this time packet capture lan side to effectively marry up the wan packet capture traffic to the lanside packet cpature to get an idea of what maybe happening in pfsense if its not something else is one course of action.



  • Post your NAT port forward and firewall WAN rules.  This usually comes down to you not knowing about and accounting for the full list of ports used by your service.  Verify with the software product as to which TCP/UDP ports they require for unsolicited inbound connections.



  • firewalluser- attached packet capture logs… i couldn't really read what could be wrong there

    KOM -

    NAT
    WAN1 TCP/UDP * * 180.xxx.xx.xxx 5222 192.168.1.13 5222 open openfire out

    autorule
    IPv4 TCP/UDP * * 192.168.1.13 5222 * none NAT open openfire out

    openfire says just port 5222 is enough for clients to connect from outside network through NAT. I can open other maybe required ports, however, the behavior of 5222 being open at the first hit and closes for subsequent hits from online port check is strange.

    [nat 5222 - packet capture WAN.txt](/public/imported_attachments/1/nat 5222 - packet capture WAN.txt)
    [nat 5222 - packet capture LAN.txt](/public/imported_attachments/1/nat 5222 - packet capture LAN.txt)


  • Netgate



  • Also check your firewall logs to see if anything gets dropped on WAN when you're testing.