Important

Netgate is offering COVID-19 aid for pfSense software users, learn more.

Testing a TCP Port

The Diagnostics > Test Port page performs a simple TCP port connection test to check if the firewall can communicate with another host. This tests if a host is up and accepting connections on a given port, at least from the perspective of the firewall.

No data is transmitted to the remote host by this test, it only attempts to open a connection and optionally displays the data sent back from the server.

In the default mode the test attempts a simple TCP handshake (SYN, SYN+ACK, ACK), and if the attempt succeeds, it reports the result.

Note

This test does not function for UDP since there is no way to reliably determine if a UDP port accepts connections in this manner.

To perform a test:

  • Navigate to Diagnostics > Test Port

  • Fill in the fields on the page. The Hostname and Port fields are required, the rest are optional.

  • Click fa-wrench Test.

The following options are available on this page:

Hostname

This is the IP address or hostname of the target system. This is a required field.

Port

This is the TCP port on the target used by the test. This is a required field and must be a valid port number, meaning an integer between 1 and 65535.

Source Port

An optional specific source port for the query. This is unnecessary in most cases.

Remote Text

If checked, this option shows the text given by the server when connecting to the port. The server is given 10 seconds to respond, and this page will display all of the text sent back by the server in those 10 seconds. As such, the test will run for a minimum of 10 seconds when performing this check.

Note

Not all daemons will output text to the user on connect, so this may be blank even if the service is working properly. For example, an SMTP server will respond with a welcome message, as will FTP, but an HTTP daemon will not send any text.

Source Address

A specific source IP address or IP Alias/CARP Virtual IP from which the query will be sent. The service being tested may require a specific source IP address, network, etc, in order to make a connection.

IP Protocol

This option selects either IPv4 or IPv6 to control which type of IP address is used when testing a hostname. If the connection is forced to IPv4 or IPv6 and the hostname does not contain a result using that protocol, the test will produce an error. For example if forced to IPv4 and given a hostname that only returns an IPv6 IP address (AAAA record), the test will fail.

Troubleshooting

nc: bind failed: Address already in use

The test produces this error if the Source Port field is set to a port currently in use by a local daemon on the firewall. Leave Source Port blank or pick another unused port.

See also

To view a list of ports currently in use, visit Diagnostics > Sockets.