Port Forwarding simple question



  • Hi.

    I hate being a moron, I really do but I have not been able to set up a simple port forwarding. For all intents an purposes my router is 'stock'. All I want to do is forward a port to direct to my server. For the life of me I cannot get it to work.

    I have created a port forward rule in NAT, with my server addy being destination. clicked save but according to a port checker on line its stealth. I don;t know what to do next, I just want one port opened.

    Cheers


  • Rebel Alliance


  • LAYER 8 Global Moderator

    is your pfsense behind a nat, ie is it wan 10.x.x.x, 192.168.x.x or 172.16-31.x.x (rfc1918) if so then the traffic you want to forward is most likely never getting to pfsense to forward.  You have to forward the port(s) on the device in front of pfsense.

    This is a common issue - gone over in the troubleshooting doc listed.

    Another real common mistake is the traffic is being forwarded, but the server firewall is blocking the traffic with its software firewall.



  • I'll take a look at the troubleshooting guide in depth later, if its anything like the instructions for setting up a port forward I will probably be in trouble.

    I have half an understanding. My wan IP is dynamic so I have a dyns set up which I know works. The domain name I have web forwarded to that address with the port I need at the end, in the past this worked just fine with an asus router.

    The server firewall is set to allow the port connection and the iis server is expecting that port for the website I want it for.

    So its just a case of getting my head around port forwarding on the pfsense. Its somewhat more complicated than consumer router software.


  • LAYER 8 Global Moderator

    "Its somewhat more complicated than consumer router software."

    Hows is that? You fill out your port and IP on a gui = DONE!!  How is that any different or harder or more complicated in any way than your soho router??

    New port forward
    pick port from dropdown, or put in the port
    put in IP of machine to forward too
    pick port to send to machine - normally always going to be the same as the first drop down

    Takes all of 10 seconds at most..

    clickity clickity port open…  How is that really any different than say linksys.. In that example doesn't let you pick sending different port..  Just because it takes options away from the user doesn't make it easier..

    In your typical forward in pfsense all that is required is the port port and IP.. leave everything else at default..








  • Hi I notice in your first image that you can edit destination port ranges, on mine if I select http in the pop up box (or MS RDP which is another I am trying to fix) I am not able to enter the port in the box to to the side which is coloured dark red.


  • LAYER 8 Netgate

    Yeah. When you select HTTP you are selecting port 80. If you want to select at arbitrary port number select other and the option to enter an arbitrary port number will appear.


  • LAYER 8 Global Moderator

    So you want to forward remote desktop?  3389, or you changed your port number?

    To be honest really bad idea to open that to the public net.. be it you try and hide the port or not by changing it from default.  If you want/need to remote to desktops in your network, much more secure to vpn in and then access whatever services you need.



  • Hi John.

    Yes I understand that. I do have VPN enabled but really struggle with it on OpenVPN. I think I will just install tonido or something similar.

    As it goes I am not trying to open remote desktop port. I am trying to open another port, fact for me is when I select another port and save the changes, port scanners such as from gibson show it as stealth. so really i don't know what else to do.

    It does not work.


  • LAYER 8 Netgate

    What, precisely, are you trying to do?

    A description such as "connections to WAN address on TCP 6969 should be forwarded to internal host 192.168.1.100 port TCP 9696"



  • Hi.

    ON my main server I have IIS set up. I have have a couple of websites. At one point I had four. The way I dealt with this was to port forward from my various domain names to ports on the server. So for the sake of argument website one was on port 7777. On the main server the IIS was set up that the website was accessed on 7777. On that sever I opened the firewall to allow 7777.

    On the router I then goto nat. In there I create a new rule. The rule is set to allow incoming connections on 7777 (as set on port forward on my domain) to goto the server 192.168.0.4:7777

    PFSense says that is set. Port checker says its stealth and I cannot access the website from the domain.

    I can obviously connect to it on Lan on that port.

    I am not sure what else to do.


  • LAYER 8 Netgate

    Have you gone over EVERYTHING on the list here?

    https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

    (Hint - it's almost ALWAYS something on that list. People just skip checking things because they sound like they couldn't be it but it is. REALLY check everything on that list. If you've already checked it, check it again.)

    Time for some screen shots of your port forward settings and WAN rules.



  • Hello all.

    I am still struggling with this. It seems straight forward but its not working for me, everything I do results in a 'stealth' from port checkers and nothing gets through,

    SO I have set up a test. here is what I put in NAT portforward:

    And this auto shows in rules:

    IS there something else I should be doing, I just want certain ports open and incoming from the web on those ports directed to a certain IP on my network, for the life of me it won't work.


  • LAYER 8 Netgate

    That all looks right. Check the local "software" firewall on 192.168.0.97. Check items 2, 3, 4 on 192.168.0.97.



  • Hi Derilict.

    According to a couple of online port checkers, that port is stealth, so I don't believe its anything to do with the server I am pointing too, besides the firewall on that is set to allow on that port.


  • LAYER 8 Netgate

    Well your port forward is correct so it's something else. Not sure what to tell you.

    Sniff on WAN for the traffic coming in on WAN address:60671 then sniff on LAN for traffic to 192.168.0.97:60671.

    If you don't see the traffic on WAN, something (your ISP) is blocking it. If you don't see the traffic on LAN, your port forward/rules are wrong. If you see the traffic out LAN and no reply, it's something on the server.

    Diagnostics > Packet Capture



  • I'll try. not great at this stuff!

    I checked in 'show states' there is no evidence of that port being used and I tried the port checker using my phone on 4G.

    I might take this opportunity to install a smaller PC I have and start again, I really think something has gone pear shaped.

    For instance when I first set up PFsense 'back to mac' a mac only sort of VPN thing worked great, without changing anything that no longer works and also I gave up entirely on OpenVPN it worked for a little while, but no longer.

    I need to sort it, my son wants his minecraft server to share with his mates.


Log in to reply