Just to double check the config, so the pfSense router is set as the DMZ of the ISP router? Have you tried deleting the rule and re-adding?
-- Steve Yates ITS, Inc. -----Original Message----- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Marco Sent: Sunday, February 11, 2018 1:13 PM To: email@example.com Subject: [pfSense] Port forwards don't work on one machine Hi, I have set up port forwarding multiple times in the past and it has always worked. But I now have a machine that fails to forward a port. No clue why. Maybe I'm missing the obvious here. My network: Internet -> ISP provided “NAT device” -> pfSense (2.4.2-RELEASE-p1) For debugging purposes I simplified the setup, turned off IDS, pfBlockerNG, used IPs instead of aliases. 1) The port forward from the WAN to 10.0.30.21 is set up. https://i.imgur.com/V8vlN1Z.png 2) A corresponding WAN rule is created as well: https://i.imgur.com/N7ulwha.png On another machine this already is enough to get it working. But not on this one. Nmap shows “filtered”. 3) Confirming the port 8000 is actually open on 10.0.30.21: https://i.imgur.com/KcaSP6T.png Yes, it is. 4) Now testing from the external IP: https://i.imgur.com/QnWQuIO.png Nope! Again using an external service: https://i.imgur.com/v4KaivE.png No, James! 5) States: https://i.imgur.com/Rf1kjbf.png 6) Packet capture: https://i.imgur.com/xT3qFXW.png I read: https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting > Common Problems > > 1. NAT and firewall rules not correctly added (see How can I forward ports > with pfSense?) I guess it's all correct, works on another machine. > Hint: Do NOT set a source port not set > 2. Firewall enabled on client machine nope > 3. Client machine is not using pfSense as its default gateway pfSense is the default gateway > 4. Client machine not actually listening on the port being forwarded It is, see https://i.imgur.com/KcaSP6T.png > 5. ISP or something upstream of pfSense is blocking the port being forwarded I guess the states table and packet capture should be empty if that's the case, right? > 6. Trying to test from inside the local network, need to test from an outside > machine Tested both, see https://i.imgur.com/QnWQuIO.png https://i.imgur.com/v4KaivE.png > 7. Incorrect or missing Virtual IP configuration for additional public IP > addresses No clue, haven't configured anything virtual. > 8. The pfSense router is not the border router. If there is something else > between pfSense and the ISP, the port forwards and associated rules must be > replicated there. True, pfSense is not the border router, ISP provided “NAT gateway” is. Device is configured to forward everything to the pfSense box, though. > 9. Forwarding ports to a server behind a Captive Portal. An IP bypass must be > added both to and from the server's IP in order for a port forward to work > behind a Captive Portal. nope > 10. If this is on a WAN that is not the default gateway, make sure there is a > gateway chosen on this WAN interface, or the firewall rules for the port > forward would not reply back via the correct gateway. WAN is default gateway > 11. If this is on a WAN that is not the default gateway, ensure the traffic > for the port forward is NOT passed in via Floating Rules or an Interface > Group. Only rules present on the WAN's interface tab under Firewall Rules > will have the reply-to keyword to ensure the traffic responds properly via > the expected gateway. didn't configure floating rules > 12. If this is on a WAN that is not the default gateway, make sure the > firewall rule(s) allowing the traffic in do not have the box checked to > disable reply-to. not the case > 13. If this is on a WAN that is not the default gateway, make sure the master > reply-to disable switch is not checked under System > Advanced, on the > Firewall/NAT tab. not the case > 14. WAN rules should NOT have a gateway set, so make sure that the rules for > the port forward do NOT have a gateway configured on the actual rule. see https://i.imgur.com/N7ulwha.png > 15. If the traffic appears to be forwarding in to an unexpected device, it > may be happening due to UPnP. Check Status > UPnP to see if an internal > service has configured a port forward unexpectedly. If so, disable UPnP on > either that device or on the firewall. UPnP is not used I guess I'm missing the obvious here, since port forwards are rather straightforward in pfSense and have never given me troubles in the past. A nudge in the right direction is appreciated. Marco _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold