Hi,
I have set up port forwarding multiple times in the past and it has always
worked. But I now have a machine that fails to forward a port. No clue why.
Maybe I'm missing the obvious here.
My network:
Internet -> ISP provided “NAT device” -> pfSense (2.4.2-RELEASE-p1)
For debugging purposes I simplified the setup, turned off IDS, pfBlockerNG,
used IPs instead of aliases.
1) The port forward from the WAN to 10.0.30.21 is set up.
https://i.imgur.com/V8vlN1Z.png
2) A corresponding WAN rule is created as well:
https://i.imgur.com/N7ulwha.png
On another machine this already is enough to get it working. But not on this
one. Nmap shows “filtered”.
3) Confirming the port 8000 is actually open on 10.0.30.21:
https://i.imgur.com/KcaSP6T.png
Yes, it is.
4) Now testing from the external IP:
https://i.imgur.com/QnWQuIO.png
Nope!
Again using an external service:
https://i.imgur.com/v4KaivE.png
No, James!
5) States:
https://i.imgur.com/Rf1kjbf.png
6) Packet capture:
https://i.imgur.com/xT3qFXW.png
I read: https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting
> Common Problems
>
> 1. NAT and firewall rules not correctly added (see How can I forward ports
> with pfSense?)
I guess it's all correct, works on another machine.
> Hint: Do NOT set a source port
not set
> 2. Firewall enabled on client machine
nope
> 3. Client machine is not using pfSense as its default gateway
pfSense is the default gateway
> 4. Client machine not actually listening on the port being forwarded
It is, see
https://i.imgur.com/KcaSP6T.png
> 5. ISP or something upstream of pfSense is blocking the port being forwarded
I guess the states table and packet capture should be empty if that's the
case, right?
> 6. Trying to test from inside the local network, need to test from an outside
> machine
Tested both, see
https://i.imgur.com/QnWQuIO.png
https://i.imgur.com/v4KaivE.png
> 7. Incorrect or missing Virtual IP configuration for additional public IP
> addresses
No clue, haven't configured anything virtual.
> 8. The pfSense router is not the border router. If there is something else
> between pfSense and the ISP, the port forwards and associated rules must be
> replicated there.
True, pfSense is not the border router, ISP provided “NAT gateway” is. Device
is configured to forward everything to the pfSense box, though.
> 9. Forwarding ports to a server behind a Captive Portal. An IP bypass must be
> added both to and from the server's IP in order for a port forward to work
> behind a Captive Portal.
nope
> 10. If this is on a WAN that is not the default gateway, make sure there is a
> gateway chosen on this WAN interface, or the firewall rules for the port
> forward would not reply back via the correct gateway.
WAN is default gateway
> 11. If this is on a WAN that is not the default gateway, ensure the traffic
> for the port forward is NOT passed in via Floating Rules or an Interface
> Group. Only rules present on the WAN's interface tab under Firewall Rules
> will have the reply-to keyword to ensure the traffic responds properly via
> the expected gateway.
didn't configure floating rules
> 12. If this is on a WAN that is not the default gateway, make sure the
> firewall rule(s) allowing the traffic in do not have the box checked to
> disable reply-to.
not the case
> 13. If this is on a WAN that is not the default gateway, make sure the master
> reply-to disable switch is not checked under System > Advanced, on the
> Firewall/NAT tab.
not the case
> 14. WAN rules should NOT have a gateway set, so make sure that the rules for
> the port forward do NOT have a gateway configured on the actual rule.
see
https://i.imgur.com/N7ulwha.png
> 15. If the traffic appears to be forwarding in to an unexpected device, it
> may be happening due to UPnP. Check Status > UPnP to see if an internal
> service has configured a port forward unexpectedly. If so, disable UPnP on
> either that device or on the firewall.
UPnP is not used
I guess I'm missing the obvious here, since port forwards are rather
straightforward in pfSense and have never given me troubles in the past. A
nudge in the right direction is appreciated.
Marco
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
