Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [SOLVED] Standard port forwarding from WAN -> DMZ host doesn't work

    Scheduled Pinned Locked Moved NAT
    4 Posts 3 Posters 10.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      comi
      last edited by

      Hi all,

      I'm a bit lost, after upgrading from pfSense 1.2.3 to 2.0rc3 I'm somehow unable to get port forwarding to work as before:

      Goal: setup some ports (80, 443, 993 etc.) to forward to a host behind the OPT1 (DMZ) interface.

      My approach was (example with port 80):

      • Create a new port forward rule

      • Interface: WAN

      • Protocol: TCP

      • Destination: alias pointing to server behind DMZ interface

      • Destination Port Range: HTTP

      • Redirect target IP: alias pointing to server behind DMZ interface

      • Redirect target port: HTTP

      • Filter rule association: create new associated filter rule

      This generated a correct firewall rule on WAN interface based on that NAT rule.

      But it doesn't work from the internet side. Any ideas? Thanks in advance.

      1 Reply Last reply Reply Quote 0
      • R
        rancor
        last edited by

        Do you filter egress from DMZ to WAN?

        1 Reply Last reply Reply Quote 0
        • C
          comi
          last edited by

          Yes, I'm filtering outbound traffic, but this was not the source of the problem.

          Actually it was just RTFM of http://doc.pfsense.org/index.php/How_can_I_forward_ports_with_pfSense%3F as I misinterpreted the destination

          Destination - this specifies the original destination IP of the traffic, as seen before being translated, and will usually be "WAN address".

          So it works now.

          1 Reply Last reply Reply Quote 0
          • G
            genrvs
            last edited by

            Step 1:  Go to "Status" -> "DHCP leases" and setup a static DHCP lease for the desired host.

            Step 2:  Go to "Firewall" -> "Aliases" create a host type alias and give it a name [Host_alias_name], use the IP for the Static DHCP lease you created in Step 1.  Save.

            Step 3:  Go to "Firewall" -> "Aliases" create a port type alias and give it a name [Port_alias_name], for your port range enter "1:65535".  Save.

            Step 4:  Go to "Firewall" -> "NAT" on the port forward tab/card add a new NAT. Interface = WAN, External address = Interface address, Protocol = TCP/UDP, External port range = from: (other) in red box [Port_alias_name] to: (other), NAT IP = [Host_alias_name], Local port = (other) in red box [Port_alias_name], Auto-add a firewall rule to permit traffic through this NAT rule should be checked. Save.

            It should be working now!

            Note if your router requires any ports for any services it will not work because you have forwarded it all to the host.  You will need to modify your port type alias to exclude the desired port.  For example if your router needs port 1000 for a service in your port type alias you will need to create one range from 1 to 999 "1:999" and another range from 1001 to 65535 "1001:65535".

            ENJOY!

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.