Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PORT FORWARDING NOT WORKING AFTER UPGRADE TO BETA 25.03

    Scheduled Pinned Locked Moved NAT
    12 Posts 3 Posters 820 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • GertjanG
      Gertjan @samweli
      last edited by

      @samweli

      The good news : nothing changed, so there shouldn't be any issues.
      For example, I've several NAT rules in place, I use the latest 25.03 Beta version "25.03.b.20250515.1415".

      Best guess : check if traffic reaches your WAN ?
      Use the packet capture ( Diagnostics > Packet Capture ), select the WAN, specify the correct "destination port" and NAT protocol, UDP or TCP and start the capture.
      Now you can see if traffic that was natted before, even reaches pfSense.

      Another check : the device you NAT to (some device on a LAN ?) still use the same IPv4 ?

      No "help me" PM's please. Use the forum, the community will thank you.
      Edit : and where are the logs ??

      S 1 Reply Last reply Reply Quote 0
      • S
        samweli @Gertjan
        last edited by

        @Gertjan Hi, Thank you so much for your feedback.

        I have done that and these are the results.

        14:39:02.026573 IP 45.215.255.224.40542 > 172.16.111.15.80: tcp 0
        14:39:07.897087 IP 45.215.255.224.29311 > 172.16.111.15.80: tcp 0
        14:39:08.916557 IP 45.215.255.224.29311 > 172.16.111.15.80: tcp 0
        14:39:09.926632 IP 45.215.255.224.29311 > 172.16.111.15.80: tcp 0
        14:39:10.926291 IP 45.215.255.224.29311 > 172.16.111.15.80: tcp 0

        GertjanG 1 Reply Last reply Reply Quote 0
        • GertjanG
          Gertjan @samweli
          last edited by Gertjan

          @samweli

          As I don't know who 45.215.255.224 is, neither 172.16.111.15 i'll have to presume a lot.

          I see a destination port 80 : that's an old web or 'http' server.
          If - you tell me - 172.16.111.15 is your pfSense WAN, and 45.215.255.224 is the device with a web browser, then you've shown that the intended web traffic arrives at your pfSense WAN interface.

          Now : can show your NAT rule (and the auto created WAN firewall rule) ?

          edit :
          I've just installed the latest 5.03 beta, "25.03.b.20250610.1659", and it works well.

          No "help me" PM's please. Use the forum, the community will thank you.
          Edit : and where are the logs ??

          S 2 Replies Last reply Reply Quote 0
          • S
            samweli @Gertjan
            last edited by

            @Gertjan

            Thanx once more,

            45.215.255.224 is the device outside the network tring to access 172.16.111.15 which is the web server inside the betwork.

            GertjanG 1 Reply Last reply Reply Quote 0
            • S
              samweli @Gertjan
              last edited by

              @Gertjan
              ab771e3f-fd34-497b-90a0-3fcb8a97f347-image.png

              876861c7-fb44-476b-820c-ec4b18c68233-image.png

              1 Reply Last reply Reply Quote 0
              • GertjanG
                Gertjan @samweli
                last edited by Gertjan

                @samweli said in PORT FORWARDING NOT WORKING AFTER UPGRADE TO BETA 25.03:

                172.16.111.15

                Oops.
                172.16.x.y is RFC1918.

                Knowing that you can not find RFC1918 out there on the internet.
                RFC1918can't be routed on the Internet.
                That means that if an RFC1918 IP like 192.168.1.1 or your 172.16.111.15 passes trough any router out there, that ones that are part of the 'Internet', it's dropped right away.

                This makes me wonder :

                14:39:02.026573 IP 45.215.255.224.40542 > 172.16.111.15.80: tcp 0
14:39:07.897087 IP 45.215.255.224.29311 > 172.16.111.15.80: tcp 0
14:39:08.916557 IP 45.215.255.224.29311 > 172.16.111.15.80: tcp 0
14:39:09.926632 IP 45.215.255.224.29311 > 172.16.111.15.80: tcp 0
14:39:10.926291 IP 45.215.255.224.29311 > 172.16.111.15.80: tcp 0

                How did you obtain these results ?
                I presume now that 172.16.111.x is your pfSense LAN network, and not your WAN.
                Or is 172.16.111.15 your pfSense WAN IP and you have a router in front of your pfSense ? In that case, it would be ok.

                edit :

                Noop.
                a7054e18-1d87-4fad-9ba9-98092f0e98e5-image.png
                so 172.16.111.15 is your pfSense LAN ? !

                No "help me" PM's please. Use the forum, the community will thank you.
                Edit : and where are the logs ??

                S 1 Reply Last reply Reply Quote 0
                • S
                  samweli @Gertjan
                  last edited by

                  @Gertjan You are right. 172.16.111.15 is a LAN host on 172.16.0.0/16 network on the LAN side. The WAN IP is sitting on the ZAMTELINTERNET interface

                  GertjanG 1 Reply Last reply Reply Quote 0
                  • GertjanG
                    Gertjan @samweli
                    last edited by Gertjan

                    @samweli

                    So traffic should come in into the WAN IP, with as destination the WAN IP.
                    Your packet capture, you were using the WAN interface, right ? an not LAN ?

                    From there on, the WAN IPv4 and the destination port = 80, matches with a WAN firewall rule, the firewall rule that belongs to the NAT rule. If the two match,n then the traffic is mapped to the LAN network, the IP 172.16.111.15. same port.

                    Btw : Web server traffic is TCP only.

                    This :

                    7fa6e2e3-9599-4685-96cc-fd91085a0edf-image.png

                    You've set a gateway ?
                    Please read [Port Forwarding](https://docs.netgate.com/pfsense/en/latest/nat/port-forwards.html¶ one more time.

                    No "help me" PM's please. Use the forum, the community will thank you.
                    Edit : and where are the logs ??

                    johnpozJ 1 Reply Last reply Reply Quote 1
                    • johnpozJ
                      johnpoz LAYER 8 Global Moderator @Gertjan
                      last edited by

                      @Gertjan said in PORT FORWARDING NOT WORKING AFTER UPGRADE TO BETA 25.03:

                      Btw : Web server traffic is TCP only.

                      Normally I would agree with you - but there is quic now, and it is possible to run http and https over UDP.

                      But highly unlikely in the case of someone running something behind pfsense.

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                      GertjanG 1 Reply Last reply Reply Quote 0
                      • GertjanG
                        Gertjan @johnpoz
                        last edited by Gertjan

                        @johnpoz said in PORT FORWARDING NOT WORKING AFTER UPGRADE TO BETA 25.03:

                        but there is quic now, and it is possible to run http and https over UDP

                        So, first : Normally I would agree with you 😊
                        But if some one would set up an apache2 or nginx on its LAN using https, quic then this person can't have problems with ancient stuff like "natting" a port.
                        Right ?
                        ( I do have this feeling that the pfSense documentation isn't always clear about things. That's why I love the - old, true, but still very valid - Youtube videos on the Netgate channel )

                        Port natting (= patting), on my ISP router, pfSense, or a high end Cisco or any other TPlink /DLink wallmart device out there : it's all the same ...

                        Anyway, very soon we can ditch IPv4 and Natting and things become easy for everybody .... 👍

                        No "help me" PM's please. Use the forum, the community will thank you.
                        Edit : and where are the logs ??

                        johnpozJ 1 Reply Last reply Reply Quote 0
                        • johnpozJ
                          johnpoz LAYER 8 Global Moderator @Gertjan
                          last edited by

                          @Gertjan said in PORT FORWARDING NOT WORKING AFTER UPGRADE TO BETA 25.03:

                          Anyway, very soon we can ditch IPv4 and Natting and things become easy for everybody

                          Yeah soon ;) they have been saying that for 20+ years already.. Soon ;)

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          SG-4860 24.11 | Lab VMs 2.8, 24.11

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.