gacpac Posted July 17, 2019 Share Posted July 17, 2019 (edited) I have a double NAT situation, because my landlord shares a connection with me. I have my own router and I had this working in the past. What changed, -He changed his comcast router to different model(it has the same GUI as all the xfinity) -this router looks like it has NAT Reflection enabled by default (before I couldn't ping my public IP from the inside) He gave me access for me to open my ports again, but they don't seem to work. This doesn't makes sense. Normally I keep a screenshot of the working settings so I don't forget. And the behavior I get after opening a port is that it works one time. Example, I connect to my VPN, works the first time, then next time I try to connect it times out. Same for nextcloud, login the first time, next time it times out. And an additional behavior is that I cannot access canyouseeme.org from my internal Lan. This happens behind his xfinity router and behind my pfsense router. Believe me, I thought it was a setting in the Pfsense. But I have my ports open in the firewall and well I haven't touch anything since I set it up. I rather create this post here than somewhere else in the forum to avoid clutter Sent from my Pixel 2 XL using Tapatalk Edited August 10, 2019 by gacpac Quote Link to comment
fl0at Posted July 17, 2019 Share Posted July 17, 2019 Can you explain your setup? His Router (DHCP) -> His devices -> vLan -> pfSense (your DHCP) -> switch and wireless ap -> your devices Something like that? Quote Link to comment
gacpac Posted July 17, 2019 Author Share Posted July 17, 2019 Can you explain your setup? His Router (DHCP) -> His devices -> vLan -> pfSense (your DHCP) -> switch and wireless ap -> your devices Something like that?It's quite simpleBasically how you described it.This are my IPsHis router 10.0.0.0/24Pfsense WAN 10.0.0.115Pfsense lan dhcp 172.16.1.0/24Unraid 172.16.1.137Sent from my Pixel 2 XL using Tapatalk Quote Link to comment
fl0at Posted July 17, 2019 Share Posted July 17, 2019 1 hour ago, gacpac said: It's quite simple Basically how you described it. This are my IPs His router 10.0.0.0/24 Pfsense WAN 10.0.0.115 Pfsense lan dhcp 172.16.1.0/24 Unraid 172.16.1.137 Sent from my Pixel 2 XL using Tapatalk Just for testing, are you allowed to set your pfsense box as the DMZ IP on your landlord's router? That at least would throw everything at you, and you could go from there. Quote Link to comment
gacpac Posted July 17, 2019 Author Share Posted July 17, 2019 Just for testing, are you allowed to set your pfsense box as the DMZ IP on your landlord's router? That at least would throw everything at you, and you could go from there. Originally that's how I had it setup. And let me tell you that works great. This time around I decided to go port forwarding to start troubleshooting.But man it's weird, I started to think it's maybe my pfsense. Because the fact the it works one time, and then it blocks it drives me crazy. Sent from my Pixel 2 XL using Tapatalk Quote Link to comment
fl0at Posted July 17, 2019 Share Posted July 17, 2019 33 minutes ago, gacpac said: Originally that's how I had it setup. And let me tell you that works great. This time around I decided to go port forwarding to start troubleshooting. But man it's weird, I started to think it's maybe my pfsense. Because the fact the it works one time, and then it blocks it drives me crazy. Sent from my Pixel 2 XL using Tapatalk I think it's just your double NAT getting the final target port all out of wack, and would just stick with DMZ and block all inbound, and open ports as needed in pfSense. The double NAT already complicates things, I wouldn't add an additional complication if not needed. Quote Link to comment
gacpac Posted July 18, 2019 Author Share Posted July 18, 2019 I think it's just your double NAT getting the final target port all out of wack, and would just stick with DMZ and block all inbound, and open ports as needed in pfSense. The double NAT already complicates things, I wouldn't add an additional complication if not needed.I can try that again, but if it doesn't work I'll backup and start with a fresh configuration. Don't know what else to do. Sent from my Pixel 2 XL using Tapatalk Quote Link to comment
gacpac Posted July 19, 2019 Author Share Posted July 19, 2019 I think is my pfsense.Because I have disabled the entire firewall for the Comcast router and everything behaves the same way. I also turned off my PF sense and some websites started working again I guess.Something has to be getting messed up in the port forwarding. But I don't what to check for cause nothing has been changed, maybe the firewall is detecting an attack (false positive) Sent from my Pixel 2 XL using Tapatalk Quote Link to comment
fl0at Posted July 19, 2019 Share Posted July 19, 2019 (edited) 2 hours ago, gacpac said: I think is my pfsense. Because I have disabled the entire firewall for the Comcast router and everything behaves the same way. I also turned off my PF sense and some websites started working again I guess. Something has to be getting messed up in the port forwarding. But I don't what to check for cause nothing has been changed, maybe the firewall is detecting an attack (false positive) Sent from my Pixel 2 XL using Tapatalk Can you upload a picture of your firewall rules? Because you shouldn't be port forwarding in pfSense, but allowing through on the firewall tab. So my rules are like: Allow IPv4 UDP 1194 WAN Block IPv4+6 WAN Allow IPv4+6 LAN So I block all incoming to WAN, except OpenVPN, and that rule needs to be above my block incoming. And then I allow everything from LAN out. That's a basic configuration. Can you also look at your routes: Should be System->Routing. Your new router could be sending IPv6 downstream, and you aren't picking it up or including it in your firewall rules. Edited July 19, 2019 by fl0at Quote Link to comment
gacpac Posted July 19, 2019 Author Share Posted July 19, 2019 Let me see.And I think I have as allow all to wanAlso allow from lan to WAN. Hang on Sent from my Pixel 2 XL using Tapatalk Quote Link to comment
fl0at Posted July 19, 2019 Share Posted July 19, 2019 It seems like you've got pretty open control on landlord's router, so why not disable pfsense's DHCP, and get IPs from the landlord's router? Static your IPs, and create your rules in pfsense using LAN as source and destination. You'll remove your double NAT, and still get your protection. Quote Link to comment
gacpac Posted July 20, 2019 Author Share Posted July 20, 2019 It seems like you've got pretty open control on landlord's router, so why not disable pfsense's DHCP, and get IPs from the landlord's router? Static your IPs, and create your rules in pfsense using LAN as source and destination. You'll remove your double NAT, and still get your protection.Lol. Yeah at the beginning I was just using his. But it's messy, like. He has a chromecast, I have one. He plays stuff in my TV by mistake all the time. So I thought of setting my own network to keep my privacy.Today I've been thinking of creating a subnet within the 10.0.0.0 and go from there, or maybe a VLAN? So devices keep separated.I don't wanna make it complicated honestlySent from my Pixel 2 XL using Tapatalk Quote Link to comment
gacpac Posted July 20, 2019 Author Share Posted July 20, 2019 So far I've been going around with an Ubuntu Box with VNC. But it's annoying as hellSent from my Pixel 2 XL using Tapatalk Quote Link to comment
fl0at Posted July 20, 2019 Share Posted July 20, 2019 11 minutes ago, gacpac said: Lol. Yeah at the beginning I was just using his. But it's messy, like. He has a chromecast, I have one. He plays stuff in my TV by mistake all the time. So I thought of setting my own network to keep my privacy. Today I've been thinking of creating a subnet within the 10.0.0.0 and go from there, or maybe a VLAN? So devices keep separated. I don't wanna make it complicated honestly Sent from my Pixel 2 XL using Tapatalk If you set your rules in pfSense to block inbound LAN except on the ports you want open, you'll block his inbound (like Chromecast) even if on the same network. Quote Link to comment
gacpac Posted July 20, 2019 Author Share Posted July 20, 2019 I'll see what can I do for that. Quote Link to comment
gacpac Posted July 21, 2019 Author Share Posted July 21, 2019 On 7/19/2019 at 9:53 AM, fl0at said: Can you upload a picture of your firewall rules? Because you shouldn't be port forwarding in pfSense, but allowing through on the firewall tab. So my rules are like: Allow IPv4 UDP 1194 WAN Block IPv4+6 WAN Allow IPv4+6 LAN So I block all incoming to WAN, except OpenVPN, and that rule needs to be above my block incoming. And then I allow everything from LAN out. That's a basic configuration. Can you also look at your routes: Should be System->Routing. Your new router could be sending IPv6 downstream, and you aren't picking it up or including it in your firewall rules. PfSense has an option to port forward and it's basically a rule that creates automatically. Look this is all I have I also have traffic shapper enabled, but I don't think that will give me issues Quote Link to comment
gacpac Posted July 21, 2019 Author Share Posted July 21, 2019 (edited) And I don't get this. The ports get open and work. But after you try, they get blocked. If I were to trace connections in PFsense. Where can I go? If I check in yougetsignal.com I can see the port is open, but after I try to connect it gets rejected. Traffic Shaping will be part of the problem ? Edited July 22, 2019 by gacpac Quote Link to comment
gacpac Posted July 22, 2019 Author Share Posted July 22, 2019 And I did it. I have wiped my configuration and sht doesn't work. Started clean and nothing. If somebody can even remote to my computer and help me figure this out please Quote Link to comment
gacpac Posted July 22, 2019 Author Share Posted July 22, 2019 (edited) I finished troubleshooting and yes I think Comcast is blocking the ports T.T To confirm this I did the following. Disconnected my pfsense and connected directly to the core router (Comcast) I downloaded a free ftp application to my phone using port 16446 and forwarded the port. You see the port open and everything. And I'm bypassing pfsense. I'm connected directly to main router coming from the ISP. Now If I try to connect, it works for a second and then they block. Edited July 22, 2019 by gacpac Quote Link to comment
fl0at Posted July 22, 2019 Share Posted July 22, 2019 27 minutes ago, gacpac said: I finished troubleshooting and yes I think Comcast is blocking the ports T.T To confirm this I did the following. Disconnected my pfsense and connected directly to the core router (Comcast) I downloaded a free ftp application to my phone using port 16446 and forwarded the port. If it is a Comcast thing you should still be able to do that same port scan behind pfSense, using the same methodology as the other ports. If not, it's a configuration issue. Quote Link to comment
gacpac Posted July 22, 2019 Author Share Posted July 22, 2019 1 minute ago, fl0at said: If it is a Comcast thing you should still be able to do that same port scan behind pfSense, using the same methodology as the other ports. If not, it's a configuration issue. Yes. I'm able to do it from behind my pfsense. But I turned it off just to take everything out of the way. This really sucks, because it was working and things don't stop working out of the blue. It's even closing the builtin ports for GUI remote management. Now I know it's something with the router maybe but I don't own the router so. I gotta deal with it like that Quote Link to comment
fl0at Posted July 22, 2019 Share Posted July 22, 2019 11 hours ago, gacpac said: Yes. I'm able to do it from behind my pfsense. But I turned it off just to take everything out of the way. This really sucks, because it was working and things don't stop working out of the blue. It's even closing the builtin ports for GUI remote management. Now I know it's something with the router maybe but I don't own the router so. I gotta deal with it like that I haven't ever seen port blocking from within a router as a practice. Because to defeat the block, you'd just change routers. Comcast on non-business blocks 80 at a level before the connection to the home. I would assume they would continue that practice for other ports they want blocked. Connecting once and then not again sounds like a configuration issue, not an adaptive and learning process within the router (which is what it would have to be to allow once, and then decide to block.) Quote Link to comment
gacpac Posted July 22, 2019 Author Share Posted July 22, 2019 Honestly I'm with you. I'm sure if I get my own modem and get to pfsense it will work. But it's not my gateway so not much I can do T. TSent from my Pixel 2 XL using Tapatalk Quote Link to comment
gacpac Posted July 28, 2019 Author Share Posted July 28, 2019 I pay for PIA already. Maybe I can get away with using a VPN in my entire network and then port forward using that?Sent from my Pixel 2 XL using Tapatalk Quote Link to comment
JonathanM Posted July 28, 2019 Share Posted July 28, 2019 5 hours ago, gacpac said: I pay for PIA already. Maybe I can get away with using a VPN in my entire network and then port forward using that? Sent from my Pixel 2 XL using Tapatalk No, they aren't going to allow you to forward port 80. Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.