PfSense port forwarding problems - can't get it to work

Deadjasper

[H]ard|Gawd
Joined
Oct 28, 2001
Messages
1,794
I have Blue Iris running on port 9999 and I'm trying to open this port so I can access it from the outside. For some reason I can get it to work. Can someone look at this and tell me wtf is wrong? TIA

Selection_518.png
 

Deadjasper

[H]ard|Gawd
Joined
Oct 28, 2001
Messages
1,794
Just looked at that and I'm not understanding what 1:1 is in PfSense. What the is the "External Subnet IP"?? I want to be able to connect from anywhere on the outside.

I also don't understand why following the official PfSense directions doesn't work.
 

+Eric

Limp Gawd
Joined
Jul 4, 2012
Messages
128
You need to create a Rule under Firewall, under WAN to allow a hole through the firewall. Then under port forward it should create an auto rule for you that'll show linked. So delete the rule you have now under port forward, it should auto pop for you when you create it under rules.
 

goodcooper

[H]F Junkie
Joined
Nov 4, 2005
Messages
9,772
i think it autocreates the fw rule, you got that backards

op, how do you know it doesn't work?
also, do you have a pub ip?
 

Deadjasper

[H]ard|Gawd
Joined
Oct 28, 2001
Messages
1,794
You need to create a Rule under Firewall, under WAN to allow a hole through the firewall. Then under port forward it should create an auto rule for you that'll show linked. So delete the rule you have now under port forward, it should auto pop for you when you create it under rules.
There is no "WAN" under "Firewall".

Selection_519.png
 

Deadjasper

[H]ard|Gawd
Joined
Oct 28, 2001
Messages
1,794
OP.

to test, please use canyouseeme.org to validate the port is open. you have to be on the network to use this site to validate.
Thanks. It shows the port as open but when I go to xx.xx.xx.xx:9999 I get nothing. This worked on my old TP-Link router.

OK, I disabled the rule and it shows the port as not open. I reenabled it and it shows as open so I'll assume it's not working locally because PfSense doesn't allow it for some reason.
 

Farva

Shens!
Joined
Feb 3, 2004
Messages
35,800

Cmustang87

Supreme [H]ardness
Joined
Oct 4, 2007
Messages
4,420
mwarps is 100% correct - NAT reflection (also known as a "hairpinning") allows External -> Internal NAT rules to work when you are within your network and accessing your own public IP address.


I hope you were able to get it working!
 

Deadjasper

[H]ard|Gawd
Joined
Oct 28, 2001
Messages
1,794
I turned on NAT Reflection and still no go. However, I disconnect my phone from WiFi and was still able to connect so I guess it's working. I'll check it tomorrow when I'm on the go to be sure.

Also, my public IP goes to the PfSense log in screen. I'd rather it didn't. I'll have to sort that out too.
 

Cmustang87

Supreme [H]ardness
Joined
Oct 4, 2007
Messages
4,420
Turn off HTTPS management from the WAN! If you want to access this thing from outside, get a VPN set up and permit it through there.

You get everything else working and secured?
 

Deadjasper

[H]ard|Gawd
Joined
Oct 28, 2001
Messages
1,794
Turn off HTTPS management from the WAN! If you want to access this thing from outside, get a VPN set up and permit it through there.

You get everything else working and secured?
According to this - https://doc.pfsense.org/index.php/How_can_I_access_the_webGUI_from_the_WAN - It's disabled by default. When I put my public IP into the browser I get the PfSense log in page. This I do not want. I don't want it accessible from the Internet at all. I haven't tried it from off site but will tomorrow.

Everything else seems to be working fine. It's only been up for a day but no glitches so far.
 

Cmustang87

Supreme [H]ardness
Joined
Oct 4, 2007
Messages
4,420
According to this - https://doc.pfsense.org/index.php/How_can_I_access_the_webGUI_from_the_WAN - It's disabled by default. When I put my public IP into the browser I get the PfSense log in page. This I do not want. I don't want it accessible from the Internet at all. I haven't tried it from off site but will tomorrow.

Everything else seems to be working fine. It's only been up for a day but no glitches so far.
That will happen if you have reflective NAT turned on and you are accessing your public IP from the LAN. Be sure to note that NAT and access rules are two very different things (but not always mutually exclusive).

NAT allows IP/ports to be translated
Access rules permit or deny traffic. It's possible that you are permitting all traffic from the LAN to your public IP address with reflective NAT.

This post explains basically all of it - https://community.spiceworks.com/how_to/89669-sonicwall-routing-vs-access-rules-vs-nat-policies

Do keep in mind it is written for SonicWALL, but the technology and use-cases are 100% accurate and widely recognized when people talk about NAT, access rules, routing, etc.
 
Top