Pfsense simple port forward
-
Did you change the destination of the port forward to WAN?
-
No because I am trying to route it to an internal IP.
-
The firewall rule is correct, it will show the IP he doing the nat/forward too not the wan address.
As this
"When i try from a different machine"So your trying to use nat reflection? Or this other machine is on the wan side of pfsense? (internet)
First thing I would do when having an issue with a port forward, is validate the traffic actually gets to pfsense WAN.. Simple packet capture take all of 10 seconds to validate.
If you see it there, validate that it goes out the pfsense lan side interface with another capture.. Do you see the response from the server?
These 2 tests should tell you right away what the problem is.. If you see on wan but not going out the lan, then something wrong with pfsense. If you see it go out the lan but no response then firewall or configuration on the server your forwarding too. Validate sending to correct IP, validate server actually sees the traffic if pfsense is sending out - maybe you have issue somewhere between pfsense and server your forwarding to.
If you see on wan and and response on lan - maybe outbound nat on pfsense is wrong? Since you didn't see response going back out on pfsense wan when you did the first wan sniff.
Troubleshooting these issues should really only take you a few minutes to isolate where the problem actually is.
-
Did you change the destination of the port forward to WAN?
This has to happen for NAT to work from the outside. Change the destination in the NAT entry from "LAN Address" to "WAN Address."
Nothing is going to happen even with NAT reflection because the NAT entry is on the WAN interface. No traffic will come into the WAN interface destined for "LAN Address."
-
The firewall rule is correct, it will show the IP he doing the nat/forward too not the wan address.
As this
"When i try from a different machine"So your trying to use nat reflection? Or this other machine is on the wan side of pfsense? (internet)
First thing I would do when having an issue with a port forward, is validate the traffic actually gets to pfsense WAN.. Simple packet capture take all of 10 seconds to validate.
If you see it there, validate that it goes out the pfsense lan side interface with another capture.. Do you see the response from the server?
These 2 tests should tell you right away what the problem is.. If you see on wan but not going out the lan, then something wrong with pfsense. If you see it go out the lan but no response then firewall or configuration on the server your forwarding too. Validate sending to correct IP, validate server actually sees the traffic if pfsense is sending out - maybe you have issue somewhere between pfsense and server your forwarding to.
If you see on wan and and response on lan - maybe outbound nat on pfsense is wrong? Since you didn't see response going back out on pfsense wan when you did the first wan sniff.
Troubleshooting these issues should really only take you a few minutes to isolate where the problem actually is.
As i mentioned, I am new to pfsense. How do I perform such a test? I wouldn't know how to even read the result properly.
-
Did you change the destination of the port forward to WAN?
No because I am trying to route it to an internal IP.
Did you do this? Your config is wrong as originally posted.
-
This is what derelict is saying - this is WRONG.
See my example of forward to ntp
-
Even with the changes made, still nothing. I also enabled the NAT Reflection for 1:1 NAT for internal use.
-
So you are trying to hit pfsense wan IP from a box on the lan side of pfsense - hoping to get redirected into your lan??
Did you test to see if working from actual outside pfsense, and its just nat reflection your having an issue with? Do you have a issue with firewall on your IIS box?
I suggest you try from the outside and validate the traffic actually gets there..
-
After some testing, I managed to get it to work externally not internally (my machine typing in the ip address in the url and nothing happened).
What can i do to make it work locally on my machine when I type in the external IP?
-
Try editing the Port Forward and turning 'NAT reflection' to 'Enable (NAT + Proxy)'.
-
Yup that fixed it. But why would I need the +proxy setting and not the pure NAT?
-
NAT + Proxy is the old way of doing reflection using netcat. I use it simply because I'm familiar with doing it that way. Pure NAT is the new way and is more scalable. It should work if you also check 'Enable automatic outbound NAT for Reflection' under Advanced, Firewall.
-
Ok now that everything is working, I am curious in trying to setup something else with this but I am unaware as to how this would work.
1 ADSL connection w/ 5 usable IP addresses - intent for customers to login through our order entry and place orders. other website functionality lies on those IP addresses (cisco 800 series router from ISP, multiple home routers connected to it)
1 VDSL connection w/ 1 IP address - office traffic and main servers etc…, ISP modem which is also setup as the router for wifi (one machine and few handsets).Currently all machines run through 10.0.0.x network (internal/VDSL) while some servers are multi-homed and also have 192 based IP's (ADSL connection) in order for customers to connect to us to use same servers. My boss set everything up with home routers. Hopefully all that makes sense and I didn't forget any information.
I want to eliminate the multi-homed situation with these home routers and make everything run better off 1 internal private network. How would I go about such a setup? How many NIC's would I need for this or am I looking at a special setup for this?
Do I need a managed switch on the other end of the router with a VLAN to handle the traffic?
Much help appreciated.
