It is most likely the ISP device.
On Sun, Feb 11, 2018 at 2:12 PM, Marco <li...@homerow.info> wrote: > Hi, > > I have set up port forwarding multiple times in the past and it has always > worked. But I now have a machine that fails to forward a port. No clue why. > Maybe I'm missing the obvious here. > > My network: > > Internet -> ISP provided “NAT device” -> pfSense (2.4.2-RELEASE-p1) > > For debugging purposes I simplified the setup, turned off IDS, pfBlockerNG, > used IPs instead of aliases. > > 1) The port forward from the WAN to 10.0.30.21 is set up. > > https://i.imgur.com/V8vlN1Z.png > > 2) A corresponding WAN rule is created as well: > > https://i.imgur.com/N7ulwha.png > > On another machine this already is enough to get it working. But not on this > one. Nmap shows “filtered”. > > 3) Confirming the port 8000 is actually open on 10.0.30.21: > > https://i.imgur.com/KcaSP6T.png > > Yes, it is. > > 4) Now testing from the external IP: > > https://i.imgur.com/QnWQuIO.png > > Nope! > > Again using an external service: > > https://i.imgur.com/v4KaivE.png > > No, James! > > 5) States: > > https://i.imgur.com/Rf1kjbf.png > > 6) Packet capture: > > https://i.imgur.com/xT3qFXW.png > > > I read: https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting > >> Common Problems >> >> 1. NAT and firewall rules not correctly added (see How can I forward ports >> with pfSense?) > > I guess it's all correct, works on another machine. > >> Hint: Do NOT set a source port > > not set > >> 2. Firewall enabled on client machine > > nope > >> 3. Client machine is not using pfSense as its default gateway > > pfSense is the default gateway > >> 4. Client machine not actually listening on the port being forwarded > > It is, see > > https://i.imgur.com/KcaSP6T.png > >> 5. ISP or something upstream of pfSense is blocking the port being forwarded > > I guess the states table and packet capture should be empty if that's the > case, right? > >> 6. Trying to test from inside the local network, need to test from an >> outside machine > > Tested both, see > > https://i.imgur.com/QnWQuIO.png > https://i.imgur.com/v4KaivE.png > >> 7. Incorrect or missing Virtual IP configuration for additional public IP >> addresses > > No clue, haven't configured anything virtual. > >> 8. The pfSense router is not the border router. If there is something else >> between pfSense and the ISP, the port forwards and associated rules must be >> replicated there. > > True, pfSense is not the border router, ISP provided “NAT gateway” is. Device > is configured to forward everything to the pfSense box, though. > >> 9. Forwarding ports to a server behind a Captive Portal. An IP bypass must >> be added both to and from the server's IP in order for a port forward to >> work behind a Captive Portal. > > nope > >> 10. If this is on a WAN that is not the default gateway, make sure there is >> a gateway chosen on this WAN interface, or the firewall rules for the port >> forward would not reply back via the correct gateway. > > WAN is default gateway > >> 11. If this is on a WAN that is not the default gateway, ensure the traffic >> for the port forward is NOT passed in via Floating Rules or an Interface >> Group. Only rules present on the WAN's interface tab under Firewall Rules >> will have the reply-to keyword to ensure the traffic responds properly via >> the expected gateway. > > didn't configure floating rules > >> 12. If this is on a WAN that is not the default gateway, make sure the >> firewall rule(s) allowing the traffic in do not have the box checked to >> disable reply-to. > > not the case > >> 13. If this is on a WAN that is not the default gateway, make sure the >> master reply-to disable switch is not checked under System > Advanced, on >> the Firewall/NAT tab. > > not the case > >> 14. WAN rules should NOT have a gateway set, so make sure that the rules for >> the port forward do NOT have a gateway configured on the actual rule. > > see > > https://i.imgur.com/N7ulwha.png > >> 15. If the traffic appears to be forwarding in to an unexpected device, it >> may be happening due to UPnP. Check Status > UPnP to see if an internal >> service has configured a port forward unexpectedly. If so, disable UPnP on >> either that device or on the firewall. > > UPnP is not used > > I guess I'm missing the obvious here, since port forwards are rather > straightforward in pfSense and have never given me troubles in the past. A > nudge in the right direction is appreciated. > > Marco > _______________________________________________ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold