NAT Connection refused
-
Have the most basic setup.
Firewall Rule: Source 50.90.99.99 Port * Destination 51.90.98.99 Port *
NAT 1:1 WAN 51.90.98.99 Internal IP 192.168.1.50 Destination IP *
System Adv: NAT reflection: Enable(Pure NAT)
Enabled auto creation of additional redirect NAT rules for 1:1 mappings
Enabled auto outbound NAT reflectionWhat am I missing here? Firewall is dropping packets (not blocking) No log entries or packets captured.
-
You gave us zero information in that post to help us let you know what you did wrong. How about real IP addresses and ports - better yet screen shots? Make up a WAN IP if you must.
-
OK I spelled it out there is not much to it
1 Rule allowing access to the WAN address
1 Nat rule from public IP to LAN ipClicked enable on Adv page for Pure NAT and redirects.
-
What is that Source address doing in your NAT Rule?
You had to click Advanced to even see the option and broke the rule.
You probably want ANY.
Firewall Rule: Source * Port * Destination 192.168.1.50 Port *
-
I only want access to this device from a specific external network
I created an Alias for this network (wan IP block) and used that as the source.
I am not ready to open this up to any. Do you think that is actually blocking me? I have the same rule setup for my firewall access (source specific) and it works fine.
-
Then Firewall Rule: Source source network or alias Port * Destination 192.168.1.50 Port *
-
yeah - thats what I have and its not working. What circumstances would not show anything in the logs? No blocking, packet capture does not show anything either.
-
https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting
Check all those things. This really does "just work."
-
So your nat reflection is not working? Its not working from external. I could see nat reflection not working if you have a source in your rule that would block your actual source for example.
Is the traffic showing up on your wan? There is nothing in the logs about the traffic being blocked - sniff does it hit your wan and then go out your lan. Maybe your lan client firewall is blocking it, etc..
Step through the doc linked too.. Its got pretty much everything you would need to find the problem. Once you have gone through the doc - let us know where its failing.. and its always better to just post screen shots of your rules and your nats so we can see if there is something conflicting.
-
I attached screen shots of my config - maybe someone can point out what I am doing wrong.
I had the 1:1 NAT setup w/ FW rules to port 40809 for SSH
I then tried adding some port forwarding to test our email server as well as SSH - but it still does not work.
-
Don't set source ports.
Common Problems
1. NAT and firewall rules not correctly added (see How can I forward ports with pfSense?)
Hint: Do NOT set a source port
https://doc.pfsense.org/index.php/How_can_I_forward_ports_with_pfSense
https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting
There is a list of all the things to check there.
-
The OP should better decide whether he wants to do 1:1 NAT or port forwards… having a mish-mash of both trying to do the same things does NOT help.
https://forum.pfsense.org/index.php?topic=94940.0
-
Since all servers behind firewall have a public static IP I will do 1:1 NAT
In that case I will remove the Port Forwarders
Now - when I setup the rules for the 1:1 Nat servers - I set up the rules on the WAN INT - is the destination address the WAN IP or Internal IP of intended server?
Thanks,
-
I already linked this on the other thread! https://doc.pfsense.org/index.php/1:1_NAT
Read it. NOW.
Also:
https://doc.pfsense.org/index.php/Can_I_use_1:1_NAT_on_my_WAN_IP
https://doc.pfsense.org/index.php/Do_NAT_port_forwards_override_1:1_NATSince all servers behind firewall have a public static IP I will do 1:1 NAT
Errr… 192.168.5.220 is NOT a public (routable IP). Neither is 192.168.1.50. Both of those are RFC1918... If you had public IPs on LAN, there'd be no point in doing any NAT. In general, by posting totally misleading and confusing information, you are just wasting everyone's time, not to mention that it prevents people from providing relevant advise.
:(
-
ok.ok… so should be mapped to internal port
But reading this:
Yes, 1:1 NAT may be used from the WAN IP address to an internal IP address. But be aware that this maps every port and services on the firewall will no longer be reachable from the outside. To reach the firewall from the outside, port forward entries must be added to negate the 1:1 NAT for the specific ports on the firewall to be reached.
So dont' use 1:1 NAT for my purpose and use the port forwarding only?
-
What??? You just told us that "all servers behind firewall have a public static IP".
Look, as already hinted in my previous post, I have absolutely no clue about your setup. Post some real information.
-
Here are my settings:
-
- What's "WAN_email"? Is that the same thing like the "External IP" in 1:1 NAT or not?
- What's "LAN_email"? It that the same thing like "Internal IP" in the 1:1 NAT or not?
- What's TCP 40809? Why's it both in antilockout and port forward?!
- Where have all those other "servers with static public IP" vanished?!
Looking at the setup and the generic mess, I have some extremely strange feeling I have seen this somewhere. Was about ~10 pages thread full of beep!
-
WAN_email is public email ip alias
LAN_email same thing40809 is custom ssh port
Where have all those other "servers with static public IP" vanished
-just trying to get my mail server working right now - once working should be easy to get the others online
Thanks,
-
