Duckdns port forwarding work only with *>8123 (any>8123) on pfsense

Good morning,
since yesterday I have been struggling with duckdns.
In the various router configuration attempts I continued for hours to insert a rule 443> 8123 and it never worked.
Now by chance I changed the rule *> 8123, which would be any> 8123, and I manage to access HA from outside through duckdns
So to access from outside (but ache from the LAN) I insert https://miosito.duckdns.org:8123 and within !!
Since in the firewall rule I * was afraid that entering any port other than 8123 would enter anyway but not so … better !!
My question is if putting * (any) can I have problems?

Thanks, Alberto

My pfsense Port forwarding work


My pfsense Port forwarding osent work:

Alberto,
I sympathise, I’ve had a lot of experience with this issue recently so I suggest that you look at that thread.

Apologies if any of the following is a bit basic but with those out of the way… : - )))

  1. What router do you have?
  2. I assume you are using https://myfortressofsolitude.duckdns.org ? i.e. Don’t use ANY port!
  3. If you are then https defaults to port 443 so port 8123 doesn’t enter the equation (if you also use nginx, read up on that too)
  4. The thread should allow to to set everything up AND will allow you to access your HA locally (with 8123)without having to go out onto the Internet to come back via https
    Have a read and a play and come back if you have any issues
    Mutt

Please be careful opening ports and understand what you are exposing prior to doing so.

First off, have you confirmed Duckdns is updating your public IP address? On the home screen of pfsense it is displayed next to WAN (not the gateway address). Or google what’s my up from within your own network.

Second, do you have SSL setup? If not you shouldn’t be specifying https. Did you use the duckdns addon or another method?

If you open 443 to 8123 you won’t need to specify the port when you type the address. So, https://miosito.duckdns.org Should get you your ha home page.

If you forward 8123 to 8123 you will need to specify the port being used as https defaults to port 443 and http defaults to port 80. So with the 8123 to 8123 forward above you would need to use. https://miosito.duckdns.org:8123/

Use your phone and test the connection. Getting the https://miosito.duckdns.org:8123/ working from inside your own network is a separate issue. I don’t have a pfsense box anymore but I believe there was a step beyond the port forward to get NAT reflection/loop back working properly.

pfsense it’s all over the first post

This depends on the port forwarding setup in ones router.

The ability to use the same URL to side and outside your network depends on the nat reflection/loop back settings of your router. Some handle this automatically others it needs to be setup. Some don’t even offer the option.

Thank you guys,
I think I missed something I did a while ago.
Practically pfsense is after the dsl modem.
l dsl modem unfortunately I can’t put it as a pure modem so inside it has a firewall that I had set with a low level of control.
On the modem I had set up the pfsense ip as dmz thinking of bypassing the modem’s firewall but it is not.
In fact, long ago, I added a modem port forwarding rule that set 443> 8123.
For this pfsense works co any> 8123 !!

Silvrr, sorry did read all the thread but never heard of pfsence so it didn’t register as the router (probably my speed reading). I assumed it was software running on gateway.

Alberto, having 2 layers of firewall is a problem as you will have two layers of Nat as well, presumably having the same forwarding on both. Mine are set straight with only 443 forwarded to my HA on 443 (no 8123 or 80 on my setup as I also run nginx). Not sure how else I can help as I’ve not done anything with your type of setup.

Surely not, if https defaults to 443 (and it does) then it will arrive at your public facing ip address on 443 also, from there it depends on the rules put in place on the firewall ?

That is correct. However if one doesn’t forward 443 to 8123 they are not going to connect. HA will not respond on 443.

Mine does - maybe because of nginx ?
Remember, I only have 443 forwarded and that goes to my HA 443

You can’t have a “SOURCE” port because you don’t know what port the client is going to USE to communicate. Every connection that is initiated by a client uses a random port. You have no way of knowing the source port. In general, you never use the source port for port forwards (very rare situations call for it).

Yeah, that’s why I pointed out (in the linked thread) that this was a mistake and disabled it.
I guess it’s not just me who speed reads : - )))

If in pfsense I put the destination, that is the HA ip, instead of wan address does not go.
In this situation I always have to put port 8123 after the address.
I access both from LAN and from external in https !!
In order not to enter port 8123 I wouldn’t know how to do it but in the end the connection works

This is modem

this is pfsense

No, I just didn’t feel the need to follow a linked thread when I understand networking.

Correct. Because the packets are hitting the WAN IP address, and not the private IP address. You are double NATted. The traffic hitting the modem/router only knows to go to the PFSense, it has no idea what exists beyond that. The connection is trying to be made TO PFSense, not to HA. It has to pass through PF to get to HA.

Your PFSense rule looks fine to me. There is nothing wrong with it.

Since you are DOUBLE NATTED, you don’t have to worry about the source on your PFSense, since the only traffic it sees is traffic from the private side of the modem/router.

1 Like

Alberto,
If you are out and about and you need access to your HA then depending on which Wireless access point you connect through and which NAT that connects through, you will be talking from a different IP Address. So unless you only do it from a specific friends house, who happens to have a ‘FIXED’ public ip address …
If you mean that if “ANY” address will be able to talk to your public facing equipment (the one with the internet address, rather than a class C or class B internal address). Then yes that is true, but they will only be able to talk on the ports you expose and port 443 will only talk https - encrypted traffic (admittedly with a self-signed certificate) but you also have the ability to turn on Multi-factor Authentication Modules (check under your profile (lower left corner)) this means you have to authenticate each person (account really) on each device accessing your instance, and that’s after guessing a valid username and password. This Multi-Factor needs verification of a random 6 digit code that changes every 30 seconds. Google do an app for it (there is another provider but can’t remeber off the top of my head).
So there’s a lot to get through just so someone can play with your lights ; - ))))))))))