I have more interfaces than actual hardware ports

Derelict

Why did you put a destination in your 1:1? Did you read the text?

![Screen Shot 2014-12-28 at 6.30.28 PM.png](/public/imported_attachments/1/Screen Shot 2014-12-28 at 6.30.28 PM.png)
![Screen Shot 2014-12-28 at 6.30.28 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2014-12-28 at 6.30.28 PM.png_thumb)

stephenw10

Do you need all ports NAT'd to the server? You should probably use a single port forward, for testing at least, instead.
However if you do want 1:1 NAT it should be on the WAN interface and the 'destination' should be left as 'any'.
Since your pfSense box is behind the Sonicwall device is it's WAN address a private IP? If so you need to uncheck 'block private networks' in the WAN interface setup.
Lastly you will need to test your port forward from a device on the WAN side of the pfSense box.

Steve

altiris

@Derelict:

Why did you put a destination in your 1:1? Did you read the text?

I got confused when reading this lol https://doc.pfsense.org/index.php/Why_does_enabling_NAT_Reflection_break_web_surfing

EDIT: Actually, if I leave the destination with a * then I am unable to surf the web on that machine. I have to set an IP for the destination if I want to be able to browse the web with 1:1 NAT.

altiris

@stephenw10:

Do you need all ports NAT'd to the server? You should probably use a single port forward, for testing at least, instead.
However if you do want 1:1 NAT it should be on the WAN interface and the 'destination' should be left as 'any'.
Since your pfSense box is behind the Sonicwall device is it's WAN address a private IP? If so you need to uncheck 'block private networks' in the WAN interface setup.
Lastly you will need to test your port forward from a device on the WAN side of the pfSense box.

Steve

I selected lan instead of wan by accident lol but I don't know whether I should do Port Forward or just 1:1 NAT. I do not want all ports to be opened and the way I am doing it is 1:1 NAT which forwards/allows everything from the external IP to internal IP or something like that right? However because pfsense has a firewall, it is preventing from all ports being accessible to LAN right? So essentially either Port forward of One-to-one nat will do the same thing???

altiris

Ugh so I thought I got it working but I didn't. I am trying to port forward instead of just doing 1:1 NAT. I can't seem to get it working. Do I need to add a rule to the firewall and I saw in a video someone making a virtual ip alias in pfsense, do I need to one to do one? I'll try and postake a screen shot.

Derelict

This is a sample rule forwarding Minecraft on TCP:25565 (minecraft_server port alias set to 25565) to my os_x_server (host alias defined as 192.168.223.17). Note that I let the NAT configuration create the firewall rule so I don't have to using the filter rule association.

If I wanted the incoming connections to be addressed to anything other than "WAN address" I would have to create a VIP. In this case I don't.

port-forward.png_thumb

altiris

@Derelict:

This is a sample rule forwarding Minecraft on TCP:25565 (minecraft_server port alias set to 25565) to my os_x_server (host alias defined as 192.168.223.17). Note that I let the NAT configuration create the firewall rule so I don't have to using the filter rule association.

If I wanted the incoming connections to be addressed to anything other than "WAN address" I would have to create a VIP. In this case I don't.

I try following your steps but it doesnt work. I noticed how you said if you wanted incoming connections to be anything other than the WAN address of pfsense you would have to create a virtual ip. So, since the WAN address of my server and pfsense box are different (I want incoming connections for a certain IP and port 80 to go to internal IP). Only thing I dont get like you do isthe NAT association rule.

Ive blocked out my WAN IP in the images for privacy reasons…but I hope its still enough that you can have an idea on what I am doing incorrectly.

Screenshot-1.png_thumb

Screenshot.png_thumb

Derelict

Looks like it should work to me.

Is the proper Firewall rule on Firewall > Rules > WAN??

Everything configured right on the web server and it has its default gateway set to pfSense?

No software firewall on the web server blocking access from foreign networks?

Web server is actually running and listening on tcp/80?

Not much else to it.

altiris

@Derelict:

Looks like it should work to me.

Is the proper Firewall rule on Firewall > Rules > WAN??

Everything configured right on the web server and it has its default gateway set to pfSense?

No software firewall on the web server blocking access from foreign networks?

Web server is actually running and listening on tcp/80?

Not much else to it.

Well to go back, when I create a Virtual IP (one that will be used to assign to my server) if I type in that IP I am brought to a pfsense page, which isnt what I want. I want to be brought to my web servers page. So I guess I have to remove the virtual IP? As for proper firewall rules, the rule that gets created from making the NAT port forwarding is in the WAN interface. Everything on the server side is correct yet I when I try to access the web server with the external IP nothing loads.

Derelict

try changing the type of virtual IP to proxy arp. that will absolutely prevent any services on the firewall node from binding to it.

Derelict

if I type in that IP I am brought to a pfsense page

if you type that IP from where? inside or outside?

altiris

@Derelict:

if I type in that IP I am brought to a pfsense page

if you type that IP from where? inside or outside?

Inside…..am I beginning to realize something lol...
EDIT: Wow, amazing. If I do it from internal I am brought to pfsense page. if I do it from externally then I am brought to my web server. Wow.

stephenw10

For an explanation and solutions see: https://doc.pfsense.org/index.php/Why_can%27t_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks

Steve