Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Pfsense simple port forward

    Scheduled Pinned Locked Moved NAT
    19 Posts 4 Posters 4.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • dotdashD Offline
      dotdash
      last edited by

      Did you change the destination of the port forward to WAN?

      1 Reply Last reply Reply Quote 0
      • Z Offline
        Zero1
        last edited by

        No because I am trying to route it to an internal IP.

        1 Reply Last reply Reply Quote 0
        • johnpozJ Online
          johnpoz LAYER 8 Global Moderator
          last edited by

          The firewall rule is correct, it will show the IP he doing the nat/forward too not the wan address.

          As this
          "When i try from a different machine"

          So your trying to use nat reflection?  Or this other machine is on the wan side of pfsense? (internet)

          First thing I would do when having an issue with a port forward, is validate the traffic actually gets to pfsense WAN.. Simple packet capture take all of 10 seconds to validate.

          If you see it there, validate that it goes out the pfsense lan side interface with another capture.. Do you see the response from the server?

          These 2 tests should tell you right away what the problem is.. If you see on wan but not going out the lan, then something wrong with pfsense.  If you see it go out the lan but no response then firewall or configuration on the server your forwarding too.  Validate sending to correct IP, validate server actually sees the traffic if pfsense is sending out - maybe you have issue somewhere between pfsense and server your forwarding to.

          If you see on wan and and response on lan - maybe outbound nat on pfsense is wrong?  Since you didn't see response going back out on pfsense wan when you did the first wan sniff.

          Troubleshooting these issues should really only take you a few minutes to isolate where the problem actually is.

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          1 Reply Last reply Reply Quote 0
          • DerelictD Offline
            Derelict LAYER 8 Netgate
            last edited by

            @dotdash:

            Did you change the destination of the port forward to WAN?

            This has to happen for NAT to work from the outside.  Change the destination in the NAT entry from "LAN Address" to "WAN Address."

            Nothing is going to happen even with NAT reflection because the NAT entry is on the WAN interface.  No traffic will come into the WAN interface destined for "LAN Address."

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • Z Offline
              Zero1
              last edited by

              @johnpoz:

              The firewall rule is correct, it will show the IP he doing the nat/forward too not the wan address.

              As this
              "When i try from a different machine"

              So your trying to use nat reflection?  Or this other machine is on the wan side of pfsense? (internet)

              First thing I would do when having an issue with a port forward, is validate the traffic actually gets to pfsense WAN.. Simple packet capture take all of 10 seconds to validate.

              If you see it there, validate that it goes out the pfsense lan side interface with another capture.. Do you see the response from the server?

              These 2 tests should tell you right away what the problem is.. If you see on wan but not going out the lan, then something wrong with pfsense.  If you see it go out the lan but no response then firewall or configuration on the server your forwarding too.  Validate sending to correct IP, validate server actually sees the traffic if pfsense is sending out - maybe you have issue somewhere between pfsense and server your forwarding to.

              If you see on wan and and response on lan - maybe outbound nat on pfsense is wrong?  Since you didn't see response going back out on pfsense wan when you did the first wan sniff.

              Troubleshooting these issues should really only take you a few minutes to isolate where the problem actually is.

              As i mentioned, I am new to pfsense. How do I perform such a test? I wouldn't know how to even read the result properly.

              1 Reply Last reply Reply Quote 0
              • DerelictD Offline
                Derelict LAYER 8 Netgate
                last edited by

                Did you change the destination of the port forward to WAN?

                @Zero1:

                No because I am trying to route it to an internal IP.

                Did you do this?  Your config is wrong as originally posted.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • johnpozJ Online
                  johnpoz LAYER 8 Global Moderator
                  last edited by

                  This is what derelict is saying - this is WRONG.

                  See my example of forward to ntp

                  worng.png
                  worng.png_thumb
                  portforwardsetup.png
                  portforwardsetup.png_thumb

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  1 Reply Last reply Reply Quote 0
                  • Z Offline
                    Zero1
                    last edited by

                    Even with the changes made, still nothing. I also enabled the NAT Reflection for 1:1 NAT for internal use.

                    1 Reply Last reply Reply Quote 0
                    • johnpozJ Online
                      johnpoz LAYER 8 Global Moderator
                      last edited by

                      So you are trying to hit pfsense wan IP from a box on the lan side of pfsense - hoping to get redirected into your lan??

                      Did you test to see if working from actual outside pfsense, and its just nat reflection your having an issue with?  Do you have a issue with firewall on your IIS box?

                      I suggest you try from the outside and validate the traffic actually gets there..

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                      1 Reply Last reply Reply Quote 0
                      • Z Offline
                        Zero1
                        last edited by

                        After some testing, I managed to get it to work externally not internally (my machine typing in the ip address in the url and nothing happened).

                        What can i do to make it work locally on my machine when I type in the external IP?

                        1 Reply Last reply Reply Quote 0
                        • dotdashD Offline
                          dotdash
                          last edited by

                          Try editing the Port Forward and turning 'NAT reflection' to 'Enable (NAT + Proxy)'.

                          1 Reply Last reply Reply Quote 0
                          • Z Offline
                            Zero1
                            last edited by

                            Yup that fixed it. But why would I need the +proxy setting and not the pure NAT?

                            1 Reply Last reply Reply Quote 0
                            • dotdashD Offline
                              dotdash
                              last edited by

                              NAT + Proxy is the old way of doing reflection using netcat. I use it simply because I'm familiar with doing it that way. Pure NAT is the new way and is more scalable. It should work if you also check 'Enable automatic outbound NAT for Reflection' under Advanced, Firewall.

                              1 Reply Last reply Reply Quote 0
                              • Z Offline
                                Zero1
                                last edited by

                                Ok now that everything is working, I am curious in trying to setup something else with this but I am unaware as to how this would work.

                                1 ADSL connection w/ 5 usable IP addresses - intent for customers to login through our order entry and place orders. other website functionality lies on those IP addresses (cisco 800 series router from ISP, multiple home routers connected to it)
                                1 VDSL connection w/ 1 IP address - office traffic and main servers etc…, ISP modem which is also setup as the router for wifi (one machine and few handsets).

                                Currently all machines run through 10.0.0.x network (internal/VDSL) while some servers are multi-homed and also have 192 based IP's (ADSL connection) in order for customers to connect to us to use same servers. My boss set everything up with home routers. Hopefully all that makes sense and I didn't forget any information.

                                I want to eliminate the multi-homed situation with these home routers and make everything run better off 1 internal private network. How would I go about such a setup? How many NIC's would I need for this or am I looking at a special setup for this?

                                Do I need a managed switch on the other end of the router with a VLAN to handle the traffic?

                                Much help appreciated.

                                1 Reply Last reply Reply Quote 0
                                • First post
                                  Last post
                                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.