Re: [pfSense] Port forwards don't work on one machine
That should be in the logs… > On Feb 11, 2018, at 6:48 PM, Joseph L. Casale > wrote: > > -Original Message- > From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Marco > Sent: Sunday, February 11, 2018 2:30 PM > To: list@lists.pfsense.org > Subject: Re: [pfSense] Port forwards don't work on one machine > >> I ran a wireshark on the destination and it received packets when >> “port testing” from the pfSense, but not when using external access >> (e.g. canyouseeme.org) > > Sounds like an ACL with a block or reject somewhere... > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Port forwards don't work on one machine
-Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Marco Sent: Sunday, February 11, 2018 2:30 PM To: list@lists.pfsense.org Subject: Re: [pfSense] Port forwards don't work on one machine > I ran a wireshark on the destination and it received packets when > “port testing” from the pfSense, but not when using external access > (e.g. canyouseeme.org) Sounds like an ACL with a block or reject somewhere... ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Port forwards don't work on one machine
> On Feb 11, 2018, at 1:29 PM, Marco wrote: > > On Sun, 11 Feb 2018 20:46:41 + > "Joseph L. Casale" wrote: > >> -Original Message- >> From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Chris >> L Sent: Sunday, February 11, 2018 1:43 PM >> To: pfSense Support and Discussion Mailing List >> Subject: Re: [pfSense] Port forwards don't >> work on one machine >> >>> What interface is that taken on? Take one on the interface the >>> destination server is connected to (WLAN?) and test again. While >>> you’re capturing also do another Diagnostics > Test Port from the >>> local pfSense itself. Please include the capture of both events >>> (from outside and using test port.) >>> >>> It looks like the server is not responding. >> >> I'd also suggest running a capture on the destination, if it's >> actually receiving traffic and/or sending it elsewhere (routing rule) >> this will provide some insight. > > I ran a wireshark on the destination and it received packets when > “port testing” from the pfSense, but not when using external access > (e.g. canyouseeme.org) > Are the packets going out pfSense LAN? To what MAC/IP address? ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Port forwards don't work on one machine
On Sun, 11 Feb 2018 20:46:41 + "Joseph L. Casale" wrote: > -Original Message- > From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Chris > L Sent: Sunday, February 11, 2018 1:43 PM > To: pfSense Support and Discussion Mailing List > Subject: Re: [pfSense] Port forwards don't > work on one machine > > > What interface is that taken on? Take one on the interface the > > destination server is connected to (WLAN?) and test again. While > > you’re capturing also do another Diagnostics > Test Port from the > > local pfSense itself. Please include the capture of both events > > (from outside and using test port.) > > > > It looks like the server is not responding. > > I'd also suggest running a capture on the destination, if it's > actually receiving traffic and/or sending it elsewhere (routing rule) > this will provide some insight. I ran a wireshark on the destination and it received packets when “port testing” from the pfSense, but not when using external access (e.g. canyouseeme.org) Marco ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Port forwards don't work on one machine
On Sun, 11 Feb 2018 12:42:34 -0800 Chris L wrote: > > On Feb 11, 2018, at 11:12 AM, Marco wrote: > > > > 6) Packet capture: > > > >https://i.imgur.com/xT3qFXW.png > > What interface is that taken on? WAN > Take one on the interface the destination server is connected to > (WLAN?) and test again. done: https://i.imgur.com/CJbaVp6.png The first two lines show the external IP access to the 8000 port, then comes the pfSense port test. > While you’re capturing also do another Diagnostics > Test Port > from the local pfSense itself. Please include the capture of both > events (from outside and using test port.) done, see above. > It looks like the server is not responding. Why does this work then?: https://i.imgur.com/KcaSP6T.png I can access it locally and pfSense can also access it. Testing from my laptop now. Actual server is a real machine on another network. Thanks for the quick response. Marco ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Port forwards don't work on one machine
-Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Chris L Sent: Sunday, February 11, 2018 1:43 PM To: pfSense Support and Discussion Mailing List Subject: Re: [pfSense] Port forwards don't work on one machine > What interface is that taken on? Take one on the interface the destination > server is connected to (WLAN?) and test again. While you’re capturing also > do another Diagnostics > Test Port from the local pfSense itself. Please > include the capture of both events (from outside and using test port.) > > It looks like the server is not responding. I'd also suggest running a capture on the destination, if it's actually receiving traffic and/or sending it elsewhere (routing rule) this will provide some insight. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Port forwards don't work on one machine
> On Feb 11, 2018, at 11:12 AM, Marco wrote: > > 6) Packet capture: > >https://i.imgur.com/xT3qFXW.png What interface is that taken on? Take one on the interface the destination server is connected to (WLAN?) and test again. While you’re capturing also do another Diagnostics > Test Port from the local pfSense itself. Please include the capture of both events (from outside and using test port.) It looks like the server is not responding. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] Port forwards don't work on one machine
Hi, I have set up port forwarding multiple times in the past and it has always worked. But I now have a machine that fails to forward a port. No clue why. Maybe I'm missing the obvious here. My network: Internet -> ISP provided “NAT device” -> pfSense (2.4.2-RELEASE-p1) For debugging purposes I simplified the setup, turned off IDS, pfBlockerNG, used IPs instead of aliases. 1) The port forward from the WAN to 10.0.30.21 is set up. https://i.imgur.com/V8vlN1Z.png 2) A corresponding WAN rule is created as well: https://i.imgur.com/N7ulwha.png On another machine this already is enough to get it working. But not on this one. Nmap shows “filtered”. 3) Confirming the port 8000 is actually open on 10.0.30.21: https://i.imgur.com/KcaSP6T.png Yes, it is. 4) Now testing from the external IP: https://i.imgur.com/QnWQuIO.png Nope! Again using an external service: https://i.imgur.com/v4KaivE.png No, James! 5) States: https://i.imgur.com/Rf1kjbf.png 6) Packet capture: https://i.imgur.com/xT3qFXW.png I read: https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting > Common Problems > > 1. NAT and firewall rules not correctly added (see How can I forward ports > with pfSense?) I guess it's all correct, works on another machine. > Hint: Do NOT set a source port not set > 2. Firewall enabled on client machine nope > 3. Client machine is not using pfSense as its default gateway pfSense is the default gateway > 4. Client machine not actually listening on the port being forwarded It is, see https://i.imgur.com/KcaSP6T.png > 5. ISP or something upstream of pfSense is blocking the port being forwarded I guess the states table and packet capture should be empty if that's the case, right? > 6. Trying to test from inside the local network, need to test from an outside > machine Tested both, see https://i.imgur.com/QnWQuIO.png https://i.imgur.com/v4KaivE.png > 7. Incorrect or missing Virtual IP configuration for additional public IP > addresses No clue, haven't configured anything virtual. > 8. The pfSense router is not the border router. If there is something else > between pfSense and the ISP, the port forwards and associated rules must be > replicated there. True, pfSense is not the border router, ISP provided “NAT gateway” is. Device is configured to forward everything to the pfSense box, though. > 9. Forwarding ports to a server behind a Captive Portal. An IP bypass must be > added both to and from the server's IP in order for a port forward to work > behind a Captive Portal. nope > 10. If this is on a WAN that is not the default gateway, make sure there is a > gateway chosen on this WAN interface, or the firewall rules for the port > forward would not reply back via the correct gateway. WAN is default gateway > 11. If this is on a WAN that is not the default gateway, ensure the traffic > for the port forward is NOT passed in via Floating Rules or an Interface > Group. Only rules present on the WAN's interface tab under Firewall Rules > will have the reply-to keyword to ensure the traffic responds properly via > the expected gateway. didn't configure floating rules > 12. If this is on a WAN that is not the default gateway, make sure the > firewall rule(s) allowing the traffic in do not have the box checked to > disable reply-to. not the case > 13. If this is on a WAN that is not the default gateway, make sure the master > reply-to disable switch is not checked under System > Advanced, on the > Firewall/NAT tab. not the case > 14. WAN rules should NOT have a gateway set, so make sure that the rules for > the port forward do NOT have a gateway configured on the actual rule. see https://i.imgur.com/N7ulwha.png > 15. If the traffic appears to be forwarding in to an unexpected device, it > may be happening due to UPnP. Check Status > UPnP to see if an internal > service has configured a port forward unexpectedly. If so, disable UPnP on > either that device or on the firewall. UPnP is not used I guess I'm missing the obvious here, since port forwards are rather straightforward in pfSense and have never given me troubles in the past. A nudge in the right direction is appreciated. Marco ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] Limiters
Hi I currently have some limiters setup on my WiFi interface. I limit some IP's (192.168.2.105, 192.168.1.109,...) to only have 700 Kbit/s. So every IP (device) has 700 Kbit/s. I want to add a "global" limit on Wifi interface so the total subnet/network can only have 3000 Kbit/s. Each IP (device) can only have 700 Kbit/s of the total 3000 Kbit/s limit. If tried putting a "global" limit for the subnet / network before and/or after all the IP devices with 700kbit/s under rules. This does not seem to work. Is something like this possible, and if possible what am I doing wrong. Maybe somewhere I can find documentation? Regards Chris ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold