Netgate SG-1000 microFirewall

Author Topic: I can only get one computer at a time to work with forwarded ports. WHY?????????  (Read 854 times)

0 Members and 1 Guest are viewing this topic.

Offline 2Buck

  • Newbie
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
Aghhhhh... I'm losing my mind here.

So I've got a really simple setup. I've got my main PC, and my server. Both are set up with static IPs.
Main PC internal IP: 192.168.1.62
Server internal IP: 192.168.1.77

I used to have this working in the past, but along the way somehow it just won't work. I have completely wiped out all my rules and settings and I'm starting from scratch.

I'm trying to run game servers. Doom, Minecraft, whatever. For this, let's just say it's Minecraft.

So I try to port forward through NAT. I give it my main PC's internal IP and a port alias containing all the ports I want to use. Everything works great. canyouseeme says it's open and an external machine can connect to my server. Yay.... So I go to make a new entry, do everything the same for my server. It works just fine, simple, right? Well, now the first entry doesn't work. So.. Only one works at a time, depending on how I have the order shifted. So, instead of having two entries, I use a alias for the IP. Seems fool proof. But, a similar problem. When I host the MC server on my main PC, it works, but then when I host another server (different port) on the server, it works, but then my main PC doesn't anymore. Whichever server was started last is what works.

I'm goin nuts! Please.. If anyone can help you'd be the most amazing person on the earth. I've been battling this problem for months. It's probably something so simple that I'm just missing.

If I need to give any other info, just let me know.

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9241
  • Karma: +1052/-308
    • View Profile
You cannot forward the same ports to different servers unless you have multiple outside IP addresses.

When WAN address:25565 receives a connection, it can only be forwarded to one inside address:port

You can have WAN address:25565 forward to 192.168.1.62:25565 and WAN address:25566 forward to 192.168.1.77:25565.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline 2Buck

  • Newbie
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
You cannot forward the same ports to different servers unless you have multiple outside IP addresses.

When WAN address:25565 receives a connection, it can only be forwarded to one inside address:port

You can have WAN address:25565 forward to 192.168.1.62:25565 and WAN address:25566 forward to 192.168.1.77:25565.

Sorry if I wasn't clear, I'm not using the same port. I'm using the port 25565 on my server and 10667 on my main PC.

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9241
  • Karma: +1052/-308
    • View Profile
Should work fine then. Going to need more information. Post screen shots of your port forward rules and associated firewall rules. Be sure to enumerate the contents of any aliases there.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline 2Buck

  • Newbie
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
Should work fine then. Going to need more information. Post screen shots of your port forward rules and associated firewall rules. Be sure to enumerate the contents of any aliases there.

Okay, so I have found a way to get it working, but isn't gonna work out in the long run.
On my server I opened up the ports from 10000 to 10999 and on my main pc I did 11000-11999. Everything is working beautifully, as long as they stay within that port range. But you can't redefine ports on some games/applications so it's not gonna work out for everything. The problems occur when I try to open any same port for two IPs. I want to have a rule where ports 10000-11999 are opened on both IPs using a alias for my IPs.

Screenshot:
http://i.imgur.com/mSm7OTX.png

The j17machines alias in this screenshot is just two IPs, the two I mentioned in the OP. Configuring it this way simply does not work. I have two MC bukkit servers running on each machine, my server running on port 10667 and my pc running on 11667. With this alias configuration, it doesn't work, but if I configure it isolated, only opening up ports 10000-10999 on the server and 11000-11999 on my PC in separate rules, it works.

Main PC:
http://i.imgur.com/BAB2YVO.png

Server:
http://i.imgur.com/Sid0RkT.png

So, like I said, configuring it this way works, as long as I only need those ports. But say I need the port 25565 on my server, that goes beyond the 10999 range, and if I were to open 10000-25565, it would end up with a bunch of the same open ports as my main PC and for some reason it just does not want to work that way. IIRC, I used to have it all configured very simply, with a IP alias and a port alias, and it all just worked. Something has changed along the way and I can't for the life of me figure it out. Maybe it's time for a factory reset?

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9241
  • Karma: +1052/-308
    • View Profile
Quote
I want to have a rule where ports 10000-11999 are opened on both IPs using a alias for my IPs.

No NAPT firewall can do that.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline 2Buck

  • Newbie
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
Quote
I want to have a rule where ports 10000-11999 are opened on both IPs using a alias for my IPs.

No NAPT firewall can do that.

How do I do it then? I used to have it set up to where two PCs could use the same port, just as long as they weren't trying to at the same time obviously. I had two MC servers each on different computers that both used the same port, and I would alternate which server was hosted, and never hit these kinda problems. Also, say it's a game where I can't change the port it uses, but want to be able to alternate servers in that manner?

The way to do this seems to be as simple as setting it up with both IPs in an alias and all the ports I want in an alias, but it's not working. I think maybe I changed some setting somewhere along the lines. I guess I'm just gonna factory reset and try from complete scratch. I just don't know enough about this to try and track down the issue.


Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9241
  • Karma: +1052/-308
    • View Profile
Were you, perhaps, using UPnP to actually open the ports?

Think about it. if the firewall is configured to forward traffic to two hosts when it receives a connection on  WAN Address:11000 to two different hosts, how is it supposed to know which one should receive the traffic? All it has to go on is WAN Address:11000.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline 2Buck

  • Newbie
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
Were you, perhaps, using UPnP to actually open the ports?

Think about it. if the firewall is configured to forward traffic to two hosts when it receives a connection on  WAN Address:11000 to two different hosts, how is it supposed to know which one should receive the traffic? All it has to go on is WAN Address:11000.

Is that actually possible? Would that achieve the effect I'm going for and if so how would I do that?
Sorry for my ignorance and thanks so much!

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9241
  • Karma: +1052/-308
    • View Profile
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM