Port forwards can be tricky. Below is a series of suggestions about getting port forwards to work.
- First, make sure you understand the process of adding port forwards from the wiki page.
- Verify that the destination host on the inside is using the NG Firewall as its default gateway. If not the packets won't find their way back to the outside machine.
- Verify that the destination service is reachable from the inside on the IP and port specified in your port forward rule. Many hours have been wasted on troubleshooting port forwards when the destination isn't working right.
- Test your port forward using 'telnet.' In Windows you can run Start>Run>cmd and then you can type telnet 22.214.171.124 123 where 126.96.36.199 is your external IP and 123 is the port your port forward rule matches. If it connects and hangs then the port forward is working. If it fails to connect then your port forward is not working. Note: For Windows 7 and newer the Telnet program must be installed.
- Test your rule from the outside. Port forwarding back inside the network has extra complications. First verify that it works from the outside.
- Verify that NG Firewall can connect to the final destination. To do so open the console on NG Firewall and type 'telnet 192.168.1.10 123' where 192.168.1.10 is the internal server you are forwarding to and 123 is the port. If it connects then NG Firewall can reach the server. If it fails to connect NG Firewall can't reach the server and the port forward will probably not function until this part is working.
- For testing, turn off the Firewall and Captive Portal applications if you have them installed. Port forwarded sessions will not connect if they are blocked by an application.
- Simplify your port forward rule. Remove extra qualifiers and make it contain as few as possible. For example specify just what port to forward and Destined Local and then which server to forward it to. If that works then add the extra qualifiers back one at a time testing each time.
- If you are port forwarding port 443 (HTTPS), try moving NG Firewall administration to another port so that port 443 is available to be forwarded.
- Remove any Source Address and Source Interface qualifiers - 99% of the time these are misused when Destination Port and Destination Address should be used instead.
- For advanced users, use tcpdump to debug and watch the packets. To do so, run these commands in seperate windows where 123 is the port you are trying to forward. This assumes you are forwarding external traffic (eth0 by default) to internal (eth1 by default). tcpdump -i eth0 -n "port 123" and tcpdump -i eth1 -n "port 123"
- Still not working? Post a screenshot of your port forward rule to the forums and along with the results from the above tests and ask for help.
Have more questions? Submit a request