Port forward not working



  • Greetings.  I can't figure out why my port forward is not working.  I've gone through the docs for setting up a port forward and troubleshooting port forwards but nothing seems out of place.  I am running 2.1-RELEASE (I can't upgrade to the current version but the chipset for my onboard NIC was dropped so it stops working).  I get the same results whether I try it via 4G or my network connection at work.

    Here is my port forward:
    WAN TCP * * WAN address 7999 192.168.1.170 8000
    Here is the firewall rule that was automatically generated:
    IPv4 TCP * * 192.168.1.170 8000 * none

    I see the traffic hit the WAN interface in tcpdump but it isn't being forwarded.

    If I look at the filter logs via SSH I see this when attempting to connect (I removed my IP's, y.y.y.y is my WAN IP):
    00:00:02.412946 rule 5/0(match): block in on xl0: (tos 0x20, ttl 116, id 16623, offset 0, flags [DF], proto TCP (6), length 48)
        x.x.x.x.47491 > y.y.y.y.7999: Flags S, cksum 0x9130 (correct), seq 1903154880, win 8192, options [mss 1460,nop,nop,sackOK], length 0

    I see the connection is blocked in the logs with the following reason:
    @5 block drop in log inet all label "Default deny rule IPV4"
    .
    I've tried deleting the forward and recreating it multiple times.  Any idea what I'm doing wrong?  Can I modify this default deny rule IPV4?  I can't seem to find it anywhere.


  • Rebel Alliance Global Moderator

    is block in on xl0 your wan??

    Why don't you post up your screen shots so we can actually see them vs ascii art this is so much harder to read.  And post all the rules you have in your forwards and your wan..  There really should be nothing in there that needs to be hidden since it should call your wan address via wan address, etc..  See mine attached.

    So pfsense is on a public IP.. that IP your obscuring is not private (rfc1918) space??




  • Thanks for the response.  xl0 is my WAN interface and it is on a public IP address via DHCP from Comcast.

    ![WAN rules.PNG](/public/imported_attachments/1/WAN rules.PNG)
    ![WAN rules.PNG_thumb](/public/imported_attachments/1/WAN rules.PNG_thumb)
    ![Port forward.PNG](/public/imported_attachments/1/Port forward.PNG)
    ![Port forward.PNG_thumb](/public/imported_attachments/1/Port forward.PNG_thumb)
    ![NAT port forwrd.PNG](/public/imported_attachments/1/NAT port forwrd.PNG)
    ![NAT port forwrd.PNG_thumb](/public/imported_attachments/1/NAT port forwrd.PNG_thumb)
    ![Firewall rule.PNG](/public/imported_attachments/1/Firewall rule.PNG)
    ![Firewall rule.PNG_thumb](/public/imported_attachments/1/Firewall rule.PNG_thumb)
    ![Filter logs.PNG](/public/imported_attachments/1/Filter logs.PNG)
    ![Filter logs.PNG_thumb](/public/imported_attachments/1/Filter logs.PNG_thumb)



  • Shouldn't your firewall rule be allowing port 7999 inbound instead of 8000?


  • Rebel Alliance Global Moderator

    what doesn't make any sense is why when he shows the rules there is no dst port in it..

    So I just fired this up as quick test… I forwarded 4000 to 22, then validated that when I check 4000 it shows open by sending traffic to my box on 22..  You'll that the firewall rules show 22 to my 192.168.9.7 IP..

    The nat rules are evaluated first, and then it hits the firewall rules from my understanding, so that actual dst port needs to be open.

    Looks like to me there is UDP traffic to 7999 as well.  What is the point of the redirection??  Why don't you just forward port 8000 in??  Its not like you have any other ports being allowed on 8000 so you have to use a different port.