Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Pfsense simple port forward

    Scheduled Pinned Locked Moved NAT
    19 Posts 4 Posters 4.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Z Offline
      Zero1
      last edited by

      @johnpoz:

      The firewall rule is correct, it will show the IP he doing the nat/forward too not the wan address.

      As this
      "When i try from a different machine"

      So your trying to use nat reflection?  Or this other machine is on the wan side of pfsense? (internet)

      First thing I would do when having an issue with a port forward, is validate the traffic actually gets to pfsense WAN.. Simple packet capture take all of 10 seconds to validate.

      If you see it there, validate that it goes out the pfsense lan side interface with another capture.. Do you see the response from the server?

      These 2 tests should tell you right away what the problem is.. If you see on wan but not going out the lan, then something wrong with pfsense.  If you see it go out the lan but no response then firewall or configuration on the server your forwarding too.  Validate sending to correct IP, validate server actually sees the traffic if pfsense is sending out - maybe you have issue somewhere between pfsense and server your forwarding to.

      If you see on wan and and response on lan - maybe outbound nat on pfsense is wrong?  Since you didn't see response going back out on pfsense wan when you did the first wan sniff.

      Troubleshooting these issues should really only take you a few minutes to isolate where the problem actually is.

      As i mentioned, I am new to pfsense. How do I perform such a test? I wouldn't know how to even read the result properly.

      1 Reply Last reply Reply Quote 0
      • DerelictD Offline
        Derelict LAYER 8 Netgate
        last edited by

        Did you change the destination of the port forward to WAN?

        @Zero1:

        No because I am trying to route it to an internal IP.

        Did you do this?  Your config is wrong as originally posted.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • johnpozJ Offline
          johnpoz LAYER 8 Global Moderator
          last edited by

          This is what derelict is saying - this is WRONG.

          See my example of forward to ntp

          worng.png
          worng.png_thumb
          portforwardsetup.png
          portforwardsetup.png_thumb

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          1 Reply Last reply Reply Quote 0
          • Z Offline
            Zero1
            last edited by

            Even with the changes made, still nothing. I also enabled the NAT Reflection for 1:1 NAT for internal use.

            1 Reply Last reply Reply Quote 0
            • johnpozJ Offline
              johnpoz LAYER 8 Global Moderator
              last edited by

              So you are trying to hit pfsense wan IP from a box on the lan side of pfsense - hoping to get redirected into your lan??

              Did you test to see if working from actual outside pfsense, and its just nat reflection your having an issue with?  Do you have a issue with firewall on your IIS box?

              I suggest you try from the outside and validate the traffic actually gets there..

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              1 Reply Last reply Reply Quote 0
              • Z Offline
                Zero1
                last edited by

                After some testing, I managed to get it to work externally not internally (my machine typing in the ip address in the url and nothing happened).

                What can i do to make it work locally on my machine when I type in the external IP?

                1 Reply Last reply Reply Quote 0
                • dotdashD Offline
                  dotdash
                  last edited by

                  Try editing the Port Forward and turning 'NAT reflection' to 'Enable (NAT + Proxy)'.

                  1 Reply Last reply Reply Quote 0
                  • Z Offline
                    Zero1
                    last edited by

                    Yup that fixed it. But why would I need the +proxy setting and not the pure NAT?

                    1 Reply Last reply Reply Quote 0
                    • dotdashD Offline
                      dotdash
                      last edited by

                      NAT + Proxy is the old way of doing reflection using netcat. I use it simply because I'm familiar with doing it that way. Pure NAT is the new way and is more scalable. It should work if you also check 'Enable automatic outbound NAT for Reflection' under Advanced, Firewall.

                      1 Reply Last reply Reply Quote 0
                      • Z Offline
                        Zero1
                        last edited by

                        Ok now that everything is working, I am curious in trying to setup something else with this but I am unaware as to how this would work.

                        1 ADSL connection w/ 5 usable IP addresses - intent for customers to login through our order entry and place orders. other website functionality lies on those IP addresses (cisco 800 series router from ISP, multiple home routers connected to it)
                        1 VDSL connection w/ 1 IP address - office traffic and main servers etc…, ISP modem which is also setup as the router for wifi (one machine and few handsets).

                        Currently all machines run through 10.0.0.x network (internal/VDSL) while some servers are multi-homed and also have 192 based IP's (ADSL connection) in order for customers to connect to us to use same servers. My boss set everything up with home routers. Hopefully all that makes sense and I didn't forget any information.

                        I want to eliminate the multi-homed situation with these home routers and make everything run better off 1 internal private network. How would I go about such a setup? How many NIC's would I need for this or am I looking at a special setup for this?

                        Do I need a managed switch on the other end of the router with a VLAN to handle the traffic?

                        Much help appreciated.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.