pfSense Gold Subscription

Author Topic: New user wondering why port fortwarding and communications difficult in pfSense?  (Read 217 times)

0 Members and 1 Guest are viewing this topic.

Offline Rainy

  • Newbie
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
I've spent a week trying to set up and configure pfSense (longer than that if you count the time I've spent watching videos and reading web pages about configuration) but have not attempted to use it in "real world" usage until today.  I should preface this by saying this is the very first time I have ever attempted to do something like this; all my previous experience with routers has been with "off the shelf" models such as those made by Asus, and that I was using the latest stable version of pfSense (2.4.1).  Also this is entirely a wired system; there are no wireless interfaces that pfSense has to deal with.

Basically it worked well enough for basic things like surfing the web, but almost immediately after hooking it up several issues surfaced, mostly involving anything that had to do with any kind of communications.  For example my instant messaging client had trouble connecting, and an Obihai VoIP adapter could no longer connect to Google Voice.  Perhaps the biggest fail was an XBOX.  For that I had configured port forwarding using the instructions at https://doc.pfsense.org/index.php/How_can_I_forward_ports_with_pfSense, and forwarding the same ports in the same way as I had done in my Asus router.  Note that the port forwarding was ALL I had to do in the Asus router to get the XBOX to work (in particular, I did NOT need to enable uPnP), but for some reason the XBOX still claimed that the NAT type was strict rather than open and therefore no multiplayer game play could take place.  I even tried the fix in the video at https://www.youtube.com/watch?v=Q5U0nj9oaZY but that didn't change anything as far as the XBOX was concerned.

I read the page at https://doc.pfsense.org/index.php/Static_Port but don't fully understand it.  It says, "By default, pfSense rewrites the source port on all outgoing packets."  Wouldn't that be a bad thing, because it would just about kill all communications protocols?  Is this something that off-the-shelf routers don't do by default?  Or am I misunderstanding that?  We also have an Asterisk server on this network and it was doing a lot of complaining too, but with so many things failing at once (and a kid that really wanted to use the XBOX), I didn't pay as much attention to that as to everything else communications-related that seemed to be failing.  I finally wound up putting the old Asus router back online.

I absolutely, positively, unequivocally do not wish to enable uPnP.  I don't want to get into a big discussion about it, but just mention it because any instructions that include "enable uPnP" (which would be most of them) are a non-starter for me.  The Asus router does not require me to enable uPnP for the XBOX to be happy, and I don't understand why the simple port forwarding rules work fine in that router but not in pfSense.  And I am 99.99% certain I did them right, I have watched several videos in addition to reading the page at https://doc.pfsense.org/index.php/How_can_I_forward_ports_with_pfSense and everything shows the port forwarding being done exactly the way I did it.

It seems very weird to me that port forwarding should be a breeze in an under-$100 router, yet something that seems to cause much hair-pulling and gnashing of teeth in pfSense, as multiple threads on the subject (especially with regard to gaming) can attest.  So, I guess what I am asking is, what is the fundamental difference between pfSense and an off-the-shelf router that seems to cause so many issues with communications protocols?  I'm starting to wonder if trying pfSense was a big mistake for someone with my relative lack of experience and knowledge about networking; the videos made it look easy enough to set up but they never mentioned problems like this.  Sorry if this sounds like a rant, but I really would like to know why this stuff doesn't seem to just work.
« Last Edit: October 29, 2017, 06:55:52 pm by Rainy »

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 14295
  • Karma: +1330/-193
  • Not a pfSense employee, they cannot fire me...
    • View Profile
"By default, pfSense rewrites the source port on all outgoing packets."

This is how NAPT works.. This is how every single router does it... When you have multiple clients behind a NAT router, you have to change the source port of the traffic...  Because you have no control over what source port the client will use.

Lets say you have 10 clients behind your NAPT (network address port translation)..  All talking to lots of different things.  Keep in mind they have to share the 1 public IP..  This public IP only has 65k source ports to work with..  The clients are all just pretty much random picking different source ports to use.. Now really just kind of keep adding +1 to what they used for the last session.. 

So when client A happens to use say source port 40122 to talk to some public IP, and Client B happens to use the same 40122 source port.. How exactly does pfsense keep track of that since it only has the 1 source port it can use on its public IP..

So what happens is the NAPT routers changes these source ports for all the traffic - unless you set it as static..  Which you can do in your outbound nat..  Now what if you had 100 different devices behind your NAPT.. what would be the odds that devices are using the same source ports?  What happens when client A wants source port same as B.. Who's connection wins and whos fails?

Here is the thing.. Port forwarding in pfsense is just as easy as any nat soho router, just more powerful.. Gives you way more options you can do with it..  This seems to confuse users.. And then they start clicking on shit they don't need to click on ;)  Or understand the different between a source and dest, etc.  Or that they can forward port 8080 to 80 for example..  All the options seem to confuse them ;)

It really only takes 10 seconds to forward a port in pfsense.. You really only need to adjust couple of things.. The protocol (tcp/udp/both/any/etc), you need to pick the dest.. This is confusing to many users because this is normally not an option in the soho router.. This is pretty much always going to be wan address.  What port or port range you want to forward (dest) and then were you want to redirect it the IP of your client..  The port and or range of ports you want to send to it.. It can be the same, or it could be different ports even.

And while pfsense will auto create the wan firewall rule to allow this forward.  Many users seem to think lets change that default drop down.. Or they have other rules on the wan that are before the new added rule that prevent it, etc... Rule order matters in a firewall.. Maybe not in your off the shelf users toy of a router..  So yeah while you might have a port forward rule - did you create some rule on your wan that prevents it?

Most users don't get what nat reflection even is.. And they think its normal to from the lan side hit their wan IP and just be forwarded back into same network... This is NAT reflection - out of the box pfsense does not do this.. You have to tell it to do it, you have to tell it the type to do, etc.  To be honest nat reflection is just an abomination that is only needed to fix something that is broken.. Like hard coding IPs, etc.

"pfSense was a big mistake for someone with my relative lack of experience and knowledge about networking"

You might be on the track here.. The power can configurations options can be overwhelming to someone that doesn't understand them..   

I can tell you for sure that my son's console games never had a problem doing anything..... Part of the problem with these console games is they don't even tell you what ports and protocols are actually used in what direction... Sorry but why would game need 53 forwarded inbound?  It freaking doesn't - it needs to be open outbound - doesn't need to be freaking forwarded.. 80 is on there as well.. If that needs to be forwarded..  Better tell most of the ISPs to no block it - since many isp block that inbound, etc..

What I suggest if you do not want to up your networking understanding and just plug shit in and have it work.. UPnP on out of the box, etc.  Only 1 network behind.. No vlans, etc..  Really only 1 option for port forwarding ;)  Then yeah just use the router your ISP gave you or go buy some $100 shiny box at the computer store that says its best for gaming..

Sorry if sounds like a rant.. But kind of sick of the users wanting to play actual firewall/router and not a toy - and wondering how come there is not a button I push to make my xbox work with the 3 other xboxs I have on the same network with the single public IP I got, etc.

I have been on this board for like 10 years.. And in all those years what I can tell you about pretty much every single help me my port forwarding isn't working..  PEBKAC...  Like every single one of them... Either they dicked up the forwarding themselves, the port is not even getting to pfsense to forward, or their device they are forwarding too not even listening, or running its own firewall, etc. etc..

Why don't you look through every single thread here on port forwarding - and find where there was actually something broken in pfsense.. Good luck ;)  I don't recall ever coming across one in 10 years..  There have been some ODD ones for sure - just recently user ISP blocking outbound source port 80... So while 80 came into pfsense - the isp blocked the answer.. So it looked like pfsense wasn't working.. etc..
« Last Edit: October 30, 2017, 03:45:46 am by johnpoz »
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.3.4_p1 (work)
1x 2.4.2-RELEASE on VM esxi 6.5 (home)

Offline Rainy

  • Newbie
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
"By default, pfSense rewrites the source port on all outgoing packets."

This is how NAPT works.. This is how every single router does it... When you have multiple clients behind a NAT router, you have to change the source port of the traffic...  Because you have no control over what source port the client will use.

Lets say you have 10 clients behind your NAPT (network address port translation)..  All talking to lots of different things.  Keep in mind they have to share the 1 public IP..  This public IP only has 65k source ports to work with..  The clients are all just pretty much random picking different source ports to use.. Now really just kind of keep adding +1 to what they used for the last session.. 

So when client A happens to use say source port 40122 to talk to some public IP, and Client B happens to use the same 40122 source port.. How exactly does pfsense keep track of that since it only has the 1 source port it can use on its public IP..

So what happens is the NAPT routers changes these source ports for all the traffic - unless you set it as static..  Which you can do in your outbound nat..  Now what if you had 100 different devices behind your NAPT.. what would be the odds that devices are using the same source ports?  What happens when client A wants source port same as B.. Who's connection wins and whos fails?

Okay, I get that part.  But then why would you ever need to set anything to use a static port?  Again, what I am trying to figure out here, and what you never got around to fully explaining, is why port forwarding just works in the Asus router but not in pfSense.

Here is the thing.. Port forwarding in pfsense is just as easy as any nat soho router, just more powerful.. Gives you way more options you can do with it..  This seems to confuse users.. And then they start clicking on shit they don't need to click on ;)  Or understand the different between a source and dest, etc.  Or that they can forward port 8080 to 80 for example..  All the options seem to confuse them ;)

And they did me for all of about five minutes, then I referred to the resources I mentioned in my original post and found what is supposed to be the correct way to do it.

It really only takes 10 seconds to forward a port in pfsense.. You really only need to adjust couple of things.. The protocol (tcp/udp/both/any/etc), you need to pick the dest.. This is confusing to many users because this is normally not an option in the soho router.. This is pretty much always going to be wan address.  What port or port range you want to forward (dest) and then were you want to redirect it the IP of your client..  The port and or range of ports you want to send to it.. It can be the same, or it could be different ports even.

I know all that.  The picking the destination did confuse me at first; leaving it set to WAN seemed counter-intuitive, but everything I read said that's how it should be so that's how I left it.

And while pfsense will auto create the wan firewall rule to allow this forward.  Many users seem to think lets change that default drop down.. Or they have other rules on the wan that are before the new added rule that prevent it, etc... Rule order matters in a firewall.. Maybe not in your off the shelf users toy of a router..  So yeah while you might have a port forward rule - did you create some rule on your wan that prevents it?

Not as far as I know; I would have had no reason to.  I certainly did not go into the firewall rules and mess with them after setting up the port forwards.

Most users don't get what nat reflection even is.. And they think its normal to from the lan side hit their wan IP and just be forwarded back into same network... This is NAT reflection - out of the box pfsense does not do this.. You have to tell it to do it, you have to tell it the type to do, etc.  To be honest nat reflection is just an abomination that is only needed to fix something that is broken.. Like hard coding IPs, etc.

I admit I have no idea what NAT reflection is, so originally I left that at the default.  Only when things didn't work did I try other settings for that, none of which helped in any way, so I put those back at the default.

"pfSense was a big mistake for someone with my relative lack of experience and knowledge about networking"

You might be on the track here.. The power can configurations options can be overwhelming to someone that doesn't understand them..

Well okay, but my question again is, why if you set up Port Forwarding (and let's assume for the sake of argument that I did it using exactly the same rules as I had used on my Asus router) does it not just work, like it did on the Asus router?

I can tell you for sure that my son's console games never had a problem doing anything..... Part of the problem with these console games is they don't even tell you what ports and protocols are actually used in what direction... Sorry but why would game need 53 forwarded inbound?  It freaking doesn't - it needs to be open outbound - doesn't need to be freaking forwarded.. 80 is on there as well.. If that needs to be forwarded..  Better tell most of the ISPs to no block it - since many isp block that inbound, etc..

Well if Microsoft tells people to open those ports, that is what they will do.  But let's assume for a moment the the ISP isn't blocking port 80, and let's assume that you open say 5 ports but really only one of those is used for inbound traffic.  So you have four ports opened for inbound traffic even though they never receive any.  So what?  That still doesn't explain why the XBOX sees the nat as strict rather than open.

What I suggest if you do not want to up your networking understanding and just plug shit in and have it work.. UPnP on out of the box, etc.  Only 1 network behind.. No vlans, etc..  Really only 1 option for port forwarding ;)  Then yeah just use the router your ISP gave you or go buy some $100 shiny box at the computer store that says its best for gaming..

Sorry if sounds like a rant.. But kind of sick of the users wanting to play actual firewall/router and not a toy - and wondering how come there is not a button I push to make my xbox work with the 3 other xboxs I have on the same network with the single public IP I got, etc.

So, basically, you are saying that no one should run pfSense unless they are a networking guru?  You have to realize that people may want to figure out how to properly use an "actual firewall/router and not a toy" (I think some router manufacturers might rightly be offended by you characterizing their devices as toys) but when basic things like port forwarding don't work of of the box and you have a kid wanting to play XBOX, people aren't going to want to stick around.  There's several other choices for router software out there (OPNsense, Untangle, and IPFire are three that come to mind) and I will bet that port forwarding works as it should on at least one of those.  Or that at the very least, if it doesn't and I ask why in their forums, they won't give me the big kiss-off as you have done.

I understand perfectly the issue of having multiple XBOXes on the same network, but that's not what I'm trying to do here.  I am trying to get one single XBOX to report the NAT type as open, and using the exact same port forwarding rules that resolve the issue on the Asus router.  I do understand that in some cases you have to forward TCP, or UDP, or both.  I do understand now that in some cases the rules may not be necessary even though Microsoft recommends them.  But none of that changes the fact that when I use those rules on my Asus router the XBOX works fine, and when I use them in pfSense, it doesn't.

I have been on this board for like 10 years.. And in all those years what I can tell you about pretty much every single help me my port forwarding isn't working..  PEBKAC...  Like every single one of them... Either they dicked up the forwarding themselves, the port is not even getting to pfsense to forward, or their device they are forwarding too not even listening, or running its own firewall, etc. etc..

Well I double checked that the ports were correct, or at least the same as what I am using on the Asus.  Believe me, I have fat-fingered numbers when typing them in before, so that is always something I check if things aren't working,  It's not like this is the first time I've ever done this, it's just the first time that entering the port forwarding rules didn't work as they should.  So pfSense is doing SOMETHING different from those "toy" routers as you so derisively call them, and strangely enough it's the "toys" that work and pfSense that doesn't.

Why don't you look through every single thread here on port forwarding - and find where there was actually something broken in pfsense.. Good luck ;)  I don't recall ever coming across one in 10 years..  There have been some ODD ones for sure - just recently user ISP blocking outbound source port 80... So while 80 came into pfsense - the isp blocked the answer.. So it looked like pfsense wasn't working.. etc..

I have looked at several threads on port forwarding and they all indicate that the way I did it was the way you're supposed to do it.  And if it were a problem of the ISP blocking port 80, then why does the Asus work?  You don't seem to get it that I can unplug the Asus and replace it with the pfSense device, and the XBOX starts reporting the NAT type as strict, then I can unplug the pfSense device and plug the Asus router back in and the XBOX reports the NAT type as open.  I'm not going to read every single thread in this forum, nobody's got time for that!

You said your son's games never had a problem, but did he have an XBOX?  And if so, did you resort to enabling uPnP to make it work (or did you already have uPnP enabled)? If he didn't have an XBOX or if you enabled uPnP then your experience isn't at all relevant to this issue.

And would it be so terrible to have a special configuration wizard for game users? The pfSense gaming forum at https://forum.pfsense.org/index.php?board=42.0 is just chock-full of posts from people have problems getting games to work under pfSense, and many of then are having NAT issues.  If you have to have an entire forum just to try to address these issues, and if so many people are struggling with these issues, it seems to me like there is something fundamentally wrong with pfSense.  You can try to blame the user, but that doesn't help anything.  My point is that if port forwarding works fine in those "toy" routers and not in pfSense, then maybe the pfSense developers should try to figure out why their software is making life difficult for users, and come up with something better that will address these issues.

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9088
  • Karma: +1037/-306
    • View Profile
Post screen shots and we'll tell you where you screwed it up.

pfSense NAT is EXTREMELY flexible. You can solve all kinds of problems with it.

Setting up a simple port forward is just that - simple.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline Rainy

  • Newbie
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
Post screen shots and we'll tell you where you screwed it up.

pfSense NAT is EXTREMELY flexible. You can solve all kinds of problems with it.

Setting up a simple port forward is just that - simple.
Unfortunately, because of these issues I had to take the pfSense box offline and replace it with the original Asus router, so it's not hooked up and right at the moment I'm not physically near the device, so I can't just hook it up to take screenshots.  That said, your tone indicates that you think I screwed up in creating the Port Forwarding rules, and while that's not 100% impossible, if I did then there are several videos and web pages giving bad information (which admittedly is a possibility).

I may not be able to post anything until sometime after the end of the week, and by that point I may have decided to just try some other software package (such as OPNsense) because to be honest I don't like the "blame the user" vibe I am getting here.  If it were only me having issues, I'd be more open to the idea that I'm the dummy here, but when you have an entire gaming forum full of posts from people having problems getting gaming to work, then I start to feel as though there is something fundamentally wrong with the software itself.

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9088
  • Karma: +1037/-306
    • View Profile
Good luck. It is obvious you did something wrong or it would be working.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline ivor

  • Administrator
  • Sr. Member
  • *****
  • Posts: 586
  • Karma: +134/-125
    • View Profile
    • Netgate
I may not be able to post anything until sometime after the end of the week, and by that point I may have decided to just try some other software package (such as OPNsense) because to be honest I don't like the "blame the user" vibe I am getting here.  If it were only me having issues, I'd be more open to the idea that I'm the dummy here, but when you have an entire gaming forum full of posts from people having problems getting gaming to work, then I start to feel as though there is something fundamentally wrong with the software itself.

I'm sorry but you seem to be here just to vent. The issue is almost surely with the way you have configured it, not with the software. There's over 1 million active pfSense installs, something tells me port forwarding isn't that difficult. This discussion isn't going anywhere so thread locked. Best of luck to you!
Need help fast? Commercial support: https://www.netgate.com/support/