Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Failing to get 1:1 NAT working

    Scheduled Pinned Locked Moved NAT
    8 Posts 2 Posters 505 Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N Offline
      NickJH
      last edited by

      I have just put my pfSense firewall in place but I can't get my 1:1 NAT working. I have an x.y.z.88/29 subnet so the firewall IP is x.y.z.90. I am trying to route x.y.z.94 through to one of my servers but I am failing.

      I have set up an IP alias with:
      Interface = WAN
      Address type = Single address
      Address = x.y.z.94/29

      Then in the NAT firewall I have created a 1:1 entry:
      No Binat - <empty>
      Interface = WAN
      Address Family = IPv4
      External Subnet IP = Address x.y.z.94
      Internal IP = Address 172.17.2.40
      NAT Reflection = Use system default

      Port 9981 is listening on the server, but when I do an external port scan it says Timed Out. If I port scan internally, it shows Open.

      What am I doing wrong?

      V 1 Reply Last reply Reply Quote 0
      • V Offline
        viragomann @NickJH
        last edited by

        @NickJH
        You also need to add a firewall rule to WAN to allow access to 172.17.2.40, port 9981.

        N 1 Reply Last reply Reply Quote 0
        • N Offline
          NickJH @viragomann
          last edited by

          @viragomann
          Thanks. I have it working now with a WAN rule:
          Interface = WAN
          Address Family = IPv4
          Protocol = Any
          Source = <blank>
          Destination = 172.17.2.40

          Is this correct. I never specify the x.y.z.94 IP, e.g in source.

          V 1 Reply Last reply Reply Quote 0
          • V Offline
            viragomann @NickJH
            last edited by

            @NickJH
            Also state the destination port, so that tje access is linitted to it.

            N 1 Reply Last reply Reply Quote 0
            • N Offline
              NickJH @viragomann
              last edited by

              @viragomann
              Thanks. I actually have more ports forwarded and the target server runs its own firewall so in the past with other firewalls I have forwarded everything. I also have an outbound rule for it.

              V 1 Reply Last reply Reply Quote 0
              • V Offline
                viragomann @NickJH
                last edited by

                @NickJH
                You can create an alias and add all allowed ports to it. The state this alias at port in the rule.

                N 1 Reply Last reply Reply Quote 0
                • N Offline
                  NickJH @viragomann
                  last edited by

                  @viragomann Can I ask why I had to create a WAN rule at all? If I do a Port Forward, it creates one for me in the Filter Rule Association dropdown. Shouldn't this option also be there for 1:1 NAT with a possible further option to create an Outbound rule?

                  V 1 Reply Last reply Reply Quote 0
                  • V Offline
                    viragomann @NickJH
                    last edited by

                    @NickJH
                    This would require options to state external and internal ports and the proper rule association for each.
                    A bit complicated and it's not, what NAT 1:1 is meant for.

                    The sense of 1:1 is to map in external IP to an internal and also the other way round.
                    While port forwarding is meant to what it's name implies. And if you forward a port to an internal IP you usually also want to pass this certain traffic.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.