"
Sorry to revive this topic after so long time, just to give you one example - currently two companies are in the process of choosing new edge firewall (with paid support) and usability is very important to them. I am pushing them towards opnsense, but rule separators are the thing they want because their firewalls have hundreds of rules and, in their opinion, visibility is so much better with separators in pfsense than categories in opnsense. Their 2 cents, not mine :)
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages1
#2
25.1, 25.4 Series / Re: Ports that do not want to be forwarded
July 24, 2025, 09:08:37 AM
Mistery has been solved.
For testing purposes, I was connecting from one of our fixed public IP address, filtering incoming port forwards on OPNSense and other firewalls only for that public IP.
I really started to bang my head when from that public IP, port forward did not work on Fortinet and Mikrotik, same port. Totally different architectures, yet all have the same problem with that damn 57777 port. Impossible.
It turned out that very same public IP I was connecting from and using for testing, already had 57777 forwarded from outside. It prevented outgoing connections for that port.
As soon as I opened briefly NAT on all firewalls for the entire Internet, and tested from few different IPs, everything worked.
Thanks to everyone for help, you are excellent community, OPNSense is still in the run for our new firewall cluster.
For testing purposes, I was connecting from one of our fixed public IP address, filtering incoming port forwards on OPNSense and other firewalls only for that public IP.
I really started to bang my head when from that public IP, port forward did not work on Fortinet and Mikrotik, same port. Totally different architectures, yet all have the same problem with that damn 57777 port. Impossible.
It turned out that very same public IP I was connecting from and using for testing, already had 57777 forwarded from outside. It prevented outgoing connections for that port.
As soon as I opened briefly NAT on all firewalls for the entire Internet, and tested from few different IPs, everything worked.
Thanks to everyone for help, you are excellent community, OPNSense is still in the run for our new firewall cluster.
#3
25.1, 25.4 Series / Re: Ports that do not want to be forwarded
July 23, 2025, 04:50:48 PM
Rules are OK.
TCP WAN 52222 ---> LAN 22 work.
TCP WAN 57777 ---> LAN 7777 does not work.
Same rules, different ports.
Must be something stupid and trivial, just can't figure out what.
TCP WAN 52222 ---> LAN 22 work.
TCP WAN 57777 ---> LAN 7777 does not work.
Same rules, different ports.
Must be something stupid and trivial, just can't figure out what.
#4
25.1, 25.4 Series / Re: Ports that do not want to be forwarded
July 23, 2025, 04:20:31 PMQuote from: Patrick M. Hausen on July 23, 2025, 03:49:59 PMShow those NAT and firewall rules and we will see if they are 100% correct. Simple as that.
Here they are.
#5
25.1, 25.4 Series / Re: Ports that do not want to be forwarded
July 23, 2025, 03:44:06 PM
Same thing with pfsense v2.8.0, clean install - TCP port 57777 cannot be forwarded from WAN to LAN test server port 7777.
NAT and firewall rules are 100% correct, multiple checks.
Go figure.
NAT and firewall rules are 100% correct, multiple checks.
Go figure.
#6
25.1, 25.4 Series / Re: Ports that do not want to be forwarded
July 23, 2025, 11:40:42 AM
Looks to me as well that those ports are in use, but how can I confirm?
I tried the following:
net.inet.ip.portrange.hifirst: 40000
net.inet.ip.portrange.hilast: 50992
reboot
That gives almost 11.000 ephemeral ports for system to use.
Port 57777 is stil not accessible.
I tried the following:
net.inet.ip.portrange.hifirst: 40000
net.inet.ip.portrange.hilast: 50992
reboot
That gives almost 11.000 ephemeral ports for system to use.
Port 57777 is stil not accessible.
#7
25.1, 25.4 Series / Re: Ports that do not want to be forwarded
July 23, 2025, 11:05:26 AM
Thanks for the quick answer. For testing purposes, in Tunables I have set up net.inet.ip.portrange.hifirst: 59999, port 57777 is still not accessible from outside.
"sockstat -l | fgrep 5777" shows nothing.
"sockstat -l | fgrep 5777" shows nothing.
#8
25.1, 25.4 Series / Ports that do not want to be forwarded
July 23, 2025, 09:26:42 AM
On my OPNSense v25.1.11, ports 57776 and 57777 can't be forwarded to internal ports. NAT and related firewall rules are OK, ISP is not blocking them. Netstat did not show anything listening on those ports. Any idea why?
Pages1
