Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Port Forwarding simple question

    Scheduled Pinned Locked Moved General pfSense Questions
    17 Posts 4 Posters 4.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • johnpozJ
      johnpoz LAYER 8 Global Moderator
      last edited by

      is your pfsense behind a nat, ie is it wan 10.x.x.x, 192.168.x.x or 172.16-31.x.x (rfc1918) if so then the traffic you want to forward is most likely never getting to pfsense to forward.  You have to forward the port(s) on the device in front of pfsense.

      This is a common issue - gone over in the troubleshooting doc listed.

      Another real common mistake is the traffic is being forwarded, but the server firewall is blocking the traffic with its software firewall.

      An intelligent man is sometimes forced to be drunk to spend time with his fools
      If you get confused: Listen to the Music Play
      Please don't Chat/PM me for help, unless mod related
      SG-4860 24.11 | Lab VMs 2.8, 24.11

      1 Reply Last reply Reply Quote 0
      • G
        garethsnaim
        last edited by

        I'll take a look at the troubleshooting guide in depth later, if its anything like the instructions for setting up a port forward I will probably be in trouble.

        I have half an understanding. My wan IP is dynamic so I have a dyns set up which I know works. The domain name I have web forwarded to that address with the port I need at the end, in the past this worked just fine with an asus router.

        The server firewall is set to allow the port connection and the iis server is expecting that port for the website I want it for.

        So its just a case of getting my head around port forwarding on the pfsense. Its somewhat more complicated than consumer router software.

        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator
          last edited by

          "Its somewhat more complicated than consumer router software."

          Hows is that? You fill out your port and IP on a gui = DONE!!  How is that any different or harder or more complicated in any way than your soho router??

          New port forward
          pick port from dropdown, or put in the port
          put in IP of machine to forward too
          pick port to send to machine - normally always going to be the same as the first drop down

          Takes all of 10 seconds at most..

          clickity clickity port open…  How is that really any different than say linksys.. In that example doesn't let you pick sending different port..  Just because it takes options away from the user doesn't make it easier..

          In your typical forward in pfsense all that is required is the port port and IP.. leave everything else at default..

          portforwardpfsense.png
          portforwardpfsense.png_thumb
          portopen.png
          portopen.png_thumb
          linksportforward.png
          linksportforward.png_thumb

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          1 Reply Last reply Reply Quote 0
          • G
            garethsnaim
            last edited by

            Hi I notice in your first image that you can edit destination port ranges, on mine if I select http in the pop up box (or MS RDP which is another I am trying to fix) I am not able to enter the port in the box to to the side which is coloured dark red.

            1 Reply Last reply Reply Quote 0
            • DerelictD
              Derelict LAYER 8 Netgate
              last edited by

              Yeah. When you select HTTP you are selecting port 80. If you want to select at arbitrary port number select other and the option to enter an arbitrary port number will appear.

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by

                So you want to forward remote desktop?  3389, or you changed your port number?

                To be honest really bad idea to open that to the public net.. be it you try and hide the port or not by changing it from default.  If you want/need to remote to desktops in your network, much more secure to vpn in and then access whatever services you need.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • G
                  garethsnaim
                  last edited by

                  Hi John.

                  Yes I understand that. I do have VPN enabled but really struggle with it on OpenVPN. I think I will just install tonido or something similar.

                  As it goes I am not trying to open remote desktop port. I am trying to open another port, fact for me is when I select another port and save the changes, port scanners such as from gibson show it as stealth. so really i don't know what else to do.

                  It does not work.

                  1 Reply Last reply Reply Quote 0
                  • DerelictD
                    Derelict LAYER 8 Netgate
                    last edited by

                    What, precisely, are you trying to do?

                    A description such as "connections to WAN address on TCP 6969 should be forwarded to internal host 192.168.1.100 port TCP 9696"

                    Chattanooga, Tennessee, USA
                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    1 Reply Last reply Reply Quote 0
                    • G
                      garethsnaim
                      last edited by

                      Hi.

                      ON my main server I have IIS set up. I have have a couple of websites. At one point I had four. The way I dealt with this was to port forward from my various domain names to ports on the server. So for the sake of argument website one was on port 7777. On the main server the IIS was set up that the website was accessed on 7777. On that sever I opened the firewall to allow 7777.

                      On the router I then goto nat. In there I create a new rule. The rule is set to allow incoming connections on 7777 (as set on port forward on my domain) to goto the server 192.168.0.4:7777

                      PFSense says that is set. Port checker says its stealth and I cannot access the website from the domain.

                      I can obviously connect to it on Lan on that port.

                      I am not sure what else to do.

                      1 Reply Last reply Reply Quote 0
                      • DerelictD
                        Derelict LAYER 8 Netgate
                        last edited by

                        Have you gone over EVERYTHING on the list here?

                        https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

                        (Hint - it's almost ALWAYS something on that list. People just skip checking things because they sound like they couldn't be it but it is. REALLY check everything on that list. If you've already checked it, check it again.)

                        Time for some screen shots of your port forward settings and WAN rules.

                        Chattanooga, Tennessee, USA
                        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                        Do Not Chat For Help! NO_WAN_EGRESS(TM)

                        1 Reply Last reply Reply Quote 0
                        • G
                          garethsnaim
                          last edited by

                          Hello all.

                          I am still struggling with this. It seems straight forward but its not working for me, everything I do results in a 'stealth' from port checkers and nothing gets through,

                          SO I have set up a test. here is what I put in NAT portforward:

                          And this auto shows in rules:

                          IS there something else I should be doing, I just want certain ports open and incoming from the web on those ports directed to a certain IP on my network, for the life of me it won't work.

                          1 Reply Last reply Reply Quote 0
                          • DerelictD
                            Derelict LAYER 8 Netgate
                            last edited by

                            That all looks right. Check the local "software" firewall on 192.168.0.97. Check items 2, 3, 4 on 192.168.0.97.

                            Chattanooga, Tennessee, USA
                            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                            Do Not Chat For Help! NO_WAN_EGRESS(TM)

                            1 Reply Last reply Reply Quote 0
                            • G
                              garethsnaim
                              last edited by

                              Hi Derilict.

                              According to a couple of online port checkers, that port is stealth, so I don't believe its anything to do with the server I am pointing too, besides the firewall on that is set to allow on that port.

                              1 Reply Last reply Reply Quote 0
                              • DerelictD
                                Derelict LAYER 8 Netgate
                                last edited by

                                Well your port forward is correct so it's something else. Not sure what to tell you.

                                Sniff on WAN for the traffic coming in on WAN address:60671 then sniff on LAN for traffic to 192.168.0.97:60671.

                                If you don't see the traffic on WAN, something (your ISP) is blocking it. If you don't see the traffic on LAN, your port forward/rules are wrong. If you see the traffic out LAN and no reply, it's something on the server.

                                Diagnostics > Packet Capture

                                Chattanooga, Tennessee, USA
                                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                1 Reply Last reply Reply Quote 0
                                • G
                                  garethsnaim
                                  last edited by

                                  I'll try. not great at this stuff!

                                  I checked in 'show states' there is no evidence of that port being used and I tried the port checker using my phone on 4G.

                                  I might take this opportunity to install a smaller PC I have and start again, I really think something has gone pear shaped.

                                  For instance when I first set up PFsense 'back to mac' a mac only sort of VPN thing worked great, without changing anything that no longer works and also I gave up entirely on OpenVPN it worked for a little while, but no longer.

                                  I need to sort it, my son wants his minecraft server to share with his mates.

                                  1 Reply Last reply Reply Quote 0
                                  • First post
                                    Last post
                                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.