Port forwarding with NAT 1:1
-
I don't see where you are adding your public IP address as virtual IPs in pfSense (Firewall - Virtual IP). You do that first, then you create your port forward.
-
Thanks for the reply.
Under Firewall: Virtual IP Addresses, I have my 5 ip addresses listed with type "IfAlias".
Maybe I am doing the 1:1 NAT wrong?
If I create a 1:1, under External subnet IP, I would type in 74.95.22.11. If I try to type in 74.95.22.11/32 (as a subnet), I would get the error message: A valid external subnet must be specified.
-
I have a 1:1 mapping. I just specified the External IP subnet to be a WAN address handled by IP Alias without any CIDR suffix, and the Internal is Single host with the LAN IP of the server.
-
Under Firewall: NAT: Port Forward, I created a HTTPS for the main ip (74.95.22.10). This automatically creates a firewall rule under my WAN connection. Everything works as expected. I am able to access my web server from the internet.
Under Firewall: NAT: 1:1, I create another HTTPS entry for the secondary ip (74.95.22.11). However this does not create a firewall rule under my WAN connection. I am NOT able to access my 2nd web server on (74.95.22.11) from the internet. What is more strange is after I created this 1:1 NAT, I am no longer able to access the 1st web server on (74.95.22.10) until I delete this 1:1 NAT. Even when I manually put in the firewall rules, it still does not work.
I don't think 1:1 can automatically put tracking firewall rules on WAN for you so you'll have to do that yourself.
Why not just use port forwards? Why 1:1?
-
Why not just use port forwards? Why 1:1?
I need to run multiple web servers. With port forwarding, I can only forward TCP 443 to one ip.
-
I need to run multiple web servers. With port forwarding, I can only forward TCP 443 to one ip.
And you can only forward a given public IP to one internal IP with 1:1 NAT. That does nothing to change your problem, from a networking perspective it's impossible to forward the same port to > 1 internal machine. You need a reverse proxy, or multiple public IPs, not 1:1 NAT.
-
@cmb:
You need a reverse proxy, or multiple public IPs, not 1:1 NAT.
Maybe I am looking in the wrong place with pfSense. I am very new to pfSense and am still working my way around it.
I do have multiple public ip addresses. I got 5. I do need some of my servers to go out with those public ip addresses and not appears as the traffics are coming from my main ip (which is on the pfSense).
-
@cmb:
You need a reverse proxy, or multiple public IPs, not 1:1 NAT.
I do have multiple public ip addresses. I got 5. I do need some of my servers to go out with those public ip addresses and not appears as the traffics are coming from my main ip (which is on the pfSense).
That's easily done with policy routing in pfSense and is completely unrelated to your inbound NAT issue.
-
Use Outbound NAT in that case if you don't want to use 1:1. Policy routing is for multi-WAN, that's not relevant here as it sounds like you have one Internet connection only.
-
I do have multi-WAN but mainly use it as a failover for internet surfing.
Thanks for all the replies! I will have to give it another try and look into the areas that you all pointed out.
