PfSense port forwarding problems - can't get it to work

Discussion in 'Networking & Security' started by Deadjasper, May 28, 2017.

  1. Deadjasper

    Deadjasper [H]ard|Gawd

    Messages:
    1,667
    Joined:
    Oct 28, 2001
    I have Blue Iris running on port 9999 and I'm trying to open this port so I can access it from the outside. For some reason I can get it to work. Can someone look at this and tell me wtf is wrong? TIA

    Selection_518.png
     
  2. Farva

    Farva Shens!

    Messages:
    35,186
    Joined:
    Feb 3, 2004
    Have you tried doing 1:1?
     
  3. Deadjasper

    Deadjasper [H]ard|Gawd

    Messages:
    1,667
    Joined:
    Oct 28, 2001
    Just looked at that and I'm not understanding what 1:1 is in PfSense. What the is the "External Subnet IP"?? I want to be able to connect from anywhere on the outside.

    I also don't understand why following the official PfSense directions doesn't work.
     
  4. +Eric

    +Eric Limp Gawd

    Messages:
    128
    Joined:
    Jul 4, 2012
    You need to create a Rule under Firewall, under WAN to allow a hole through the firewall. Then under port forward it should create an auto rule for you that'll show linked. So delete the rule you have now under port forward, it should auto pop for you when you create it under rules.
     
  5. goodcooper

    goodcooper [H]ardForum Junkie

    Messages:
    9,771
    Joined:
    Nov 4, 2005
    i think it autocreates the fw rule, you got that backards

    op, how do you know it doesn't work?
    also, do you have a pub ip?
     
  6. Shockey

    Shockey [H]ard|Gawd

    Messages:
    1,989
    Joined:
    Nov 24, 2008
    OP.

    to test, please use canyouseeme.org to validate the port is open. you have to be on the network to use this site to validate.
     
    Cmustang87, goodcooper and Deadjasper like this.
  7. Deadjasper

    Deadjasper [H]ard|Gawd

    Messages:
    1,667
    Joined:
    Oct 28, 2001
    There is no "WAN" under "Firewall".

    Selection_519.png
     
  8. Deadjasper

    Deadjasper [H]ard|Gawd

    Messages:
    1,667
    Joined:
    Oct 28, 2001
    Thanks. It shows the port as open but when I go to xx.xx.xx.xx:9999 I get nothing. This worked on my old TP-Link router.

    OK, I disabled the rule and it shows the port as not open. I reenabled it and it shows as open so I'll assume it's not working locally because PfSense doesn't allow it for some reason.
     
  9. mwarps

    mwarps [H]ardness Supreme

    Messages:
    7,003
    Joined:
    Oct 6, 2002
  10. Farva

    Farva Shens!

    Messages:
    35,186
    Joined:
    Feb 3, 2004
  11. Deadjasper

    Deadjasper [H]ard|Gawd

    Messages:
    1,667
    Joined:
    Oct 28, 2001
    mwarps likes this.
  12. Cmustang87

    Cmustang87 [H]ardness Supreme

    Messages:
    4,405
    Joined:
    Oct 4, 2007
    mwarps is 100% correct - NAT reflection (also known as a "hairpinning") allows External -> Internal NAT rules to work when you are within your network and accessing your own public IP address.


    I hope you were able to get it working!
     
  13. Deadjasper

    Deadjasper [H]ard|Gawd

    Messages:
    1,667
    Joined:
    Oct 28, 2001
    I turned on NAT Reflection and still no go. However, I disconnect my phone from WiFi and was still able to connect so I guess it's working. I'll check it tomorrow when I'm on the go to be sure.

    Also, my public IP goes to the PfSense log in screen. I'd rather it didn't. I'll have to sort that out too.
     
  14. goodcooper

    goodcooper [H]ardForum Junkie

    Messages:
    9,771
    Joined:
    Nov 4, 2005
    may also need to add a special fw rule for the hairpin
     
    Cmustang87 likes this.
  15. Deadjasper

    Deadjasper [H]ard|Gawd

    Messages:
    1,667
    Joined:
    Oct 28, 2001
    Tested it off site today and it is indeed working. Thanks all. :cool:
     
  16. Cmustang87

    Cmustang87 [H]ardness Supreme

    Messages:
    4,405
    Joined:
    Oct 4, 2007
    Turn off HTTPS management from the WAN! If you want to access this thing from outside, get a VPN set up and permit it through there.

    You get everything else working and secured?
     
    Deadjasper likes this.
  17. Deadjasper

    Deadjasper [H]ard|Gawd

    Messages:
    1,667
    Joined:
    Oct 28, 2001
    According to this - https://doc.pfsense.org/index.php/How_can_I_access_the_webGUI_from_the_WAN - It's disabled by default. When I put my public IP into the browser I get the PfSense log in page. This I do not want. I don't want it accessible from the Internet at all. I haven't tried it from off site but will tomorrow.

    Everything else seems to be working fine. It's only been up for a day but no glitches so far.
     
    Cmustang87 likes this.
  18. Cmustang87

    Cmustang87 [H]ardness Supreme

    Messages:
    4,405
    Joined:
    Oct 4, 2007
    That will happen if you have reflective NAT turned on and you are accessing your public IP from the LAN. Be sure to note that NAT and access rules are two very different things (but not always mutually exclusive).

    NAT allows IP/ports to be translated
    Access rules permit or deny traffic. It's possible that you are permitting all traffic from the LAN to your public IP address with reflective NAT.

    This post explains basically all of it - https://community.spiceworks.com/how_to/89669-sonicwall-routing-vs-access-rules-vs-nat-policies

    Do keep in mind it is written for SonicWALL, but the technology and use-cases are 100% accurate and widely recognized when people talk about NAT, access rules, routing, etc.