I’m having some issues opening ports. About 3 months ago I opened port 10500 to access my police scanner and it works great. I recently tried to open port 5000 for another project and it won’t open. I tried copying the 10500 port and changed it to port 5000 and still nothing. I then tried opened some of the predefined ones from the port forwarding menu and they do not open. I have windows firewall turned off and my modem which is just a modem goes into pfsense build. I don’t know a lot about the states table but i reset them also. I use yougotasignal.com and the internal port checker in pfsense to see if they are open and both say the ports are closed.Anyone know of something i may have done to cause this? Any thoughts would be greatly appreciated.
So you want to forward (DNAT) port 5000/tcp on the WAN interface to some internal IP in order to access some private service from the internet, am I getting this right?
Here’s how that would usually work:
Under Firewall -> NAT -> Port Forward, create a new rule, where
Interface = your WAN interface
Protocol = whichever protocol you want to match, TCP probably
Destination = your WAN interface address
Destination port range = 5000
Redirect target IP = the internal host that the traffic should be routed to
Redirect target port = the port on the internal host
Filter rule association = Add associated filter rule
The last step is important, as the NAT rule itself only modifies the destination field of the matching packets. It does not, however, decide whether these packets get accepted, rejected or dropped. You still need a firewall rule for that. It should be automatically created with the correct settings, which are:
Action = Pass
Interface = Your WAN interface
Source = any
Destination = same as ‘Redirect target IP’ in the NAT rule
Destination Port range = same as ‘Redirect target port’ in the NAT rule
In order to test if the NAT and firewall rules work, enable the ‘Log’ option on the firewall rule. Then send some data from the internet to port 5000 of your WAN IP (e.g. using telnet). Your firewall logs should contain a corresponding entry. If they do, the problem is on the target machine.
Your awesome. That worked. My 10500 port is not set up that way but is open. Redirect target port = the port on the internal host is what made it start working. I appreciate you taking the time to explain that. I’m going to print this out and file it. Here is an image of the port 10500 port that has been working.
In my mind this should not be working because my redirect target port is not 10500. I thought it was working because i had nat+proxy on but when trying to open other ports with this chosen the port does not open.
I’m not quite sure I can follow. The NAT reflection only matters when you want to access a service from the inside of the network while still using the WAN address. Say, you’re hosting a service on
192.168.1.128/24 port 10500/tcp. You’re WAN address be
18.104.22.168. You have a NAT rule on the WAN interface to forward traffic addressed to
Now when you send a packet from within the
192.168.1.0/24 network to
22.214.171.124:10500, tha NAT rule will not match this packet since it did not come in on the WAN interface. Therefore, the packet will not be redirected to the target machine. NAT reflection is one way to mitigate this problem. With it enabled, pfSense will “re-enter” the packet on the WAN interface, so that the DNAT can take place.
Just to be concise, can you clarify what port your service runs on the internal host? Note that the destination port and the target port can be different. Also I suggest you try the logging option I mentioned in my original answer, to determine whether there is a problem with your router setup or with the target host.