Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Port forward reply NAT not working.

    Scheduled Pinned Locked Moved NAT
    11 Posts 3 Posters 2.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • johnpozJ
      johnpoz LAYER 8 Global Moderator
      last edited by

      so you have 2 pfsense, 1 behind the other.. Your forward shows its suppose to go to 5.253  Why are  you seeing tcp dump to .1 ?

      So your downstream pfsense is natting as well..  How do you get to 192.168.5 when it seems your on 192.168.253

      I would suggest you draw up your network..

      An intelligent man is sometimes forced to be drunk to spend time with his fools
      If you get confused: Listen to the Music Play
      Please don't Chat/PM me for help, unless mod related
      SG-4860 24.11 | Lab VMs 2.8, 24.11

      1 Reply Last reply Reply Quote 0
      • A
        Aubete
        last edited by

        @johnpoz:

        so you have 2 pfsense, 1 behind the other.. Your forward shows its suppose to go to 5.253  Why are  you seeing tcp dump to .1 ?

        So your downstream pfsense is natting as well..  How do you get to 192.168.5 when it seems your on 192.168.253

        I would suggest you draw up your network..

        Thanks the response.

        A schematics…

        dedicated
        vpn clients --- internet --- pfsense 5.253 ---- 5.254 pfsense 253.1 ---- MAN --- vpn clients
                                                                                  |
                                                                                  |
                                                                              internet

        The 5.253 pfsense a Dedicated VPN server with own dedicated internet. But we have a MAN network, (wifi network with multiple sites) that sites have vpns to 5.253. The main pfsense have standard internet to browsing and other "normal internet stuff" from the MAN need to access "normal" internet, and the dedicated pfsense. so need to port forward.

        The MAN is not "ours" then the routing and firewalling, is not adjustable for me. only the 253 network is routed.

        So a client from 253.236 send a packet to 253.1 the 253.1 portforward the packet to 5.253. the 5.253 answer this packet, and send to 253.1 then 253.1 send to 253.236 but the source address is 5.253.

        the 253 network not routing only the 253 network. so the 253.236 not reach 5.253, only 253.1.

        Maybe this clear the situlation.

        A some time ago have an another weird thing on main pfsense (that not natting now) the other vpn configs changed. (not by admin) the client's setup page's advanced box containment moved to server's advanced box. but this is an another story...

        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator
          last edited by

          so your downstream is not natting?  Where you move from rfc1918 to public is where you would need to nat, downstream stuff that is all rfc1918 does not have to nat.

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          1 Reply Last reply Reply Quote 0
          • A
            Aubete
            last edited by

            Hi!

            Thanks to reply.

            So this is a new stuff in PfSense? This thing working almost a year. Last week happen something that cause some trubles.

            1, the openvpn configs broken,
            2, The 20000 port not nattig,
            3, the vlans working weird (but this is maybe a switch related problem)

            What changed?

            1 Reply Last reply Reply Quote 0
            • DerelictD
              Derelict LAYER 8 Netgate
              last edited by

              Did you make changes, upgrade, or anything?

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • A
                Aubete
                last edited by

                Hi!

                Thanks to answer!

                No, only happen an unexpected blackout. But the rfc' s IMHO not an explanation. If i have an Internet connection to a router that have an internal network adress to internal interface. If i have more than one… So the natting can work with internal adresses. My linux routers manage that without any problem.

                i try:

                Delete, and readd rule.
                Restart server.
                natting other machines on route.

                Not working. i don't understand, why. The other port forwardings work. example: the 253.1 -> 127.0.0.1 is working (this is needed to multi input vpn) that interface is an Internet interface too but we not use this function.

                1 Reply Last reply Reply Quote 0
                • A
                  Aubete
                  last edited by

                  @Aubete:

                  Hi!

                  Thanks to answer!

                  No, only happen an unexpected blackout. But the rfc' s IMHO not an explanation. If i have an Internet connection to a router that have an internal network adress to internal interface. If i have more than one… So the natting can work with internal adresses. My linux routers manage that without any problem.

                  i try:

                  Delete, and readd rule.
                  Restart server.
                  natting other machines on route.

                  Not working. i don't understand, why. The other port forwardings work. example: the 253.1 -> 127.0.0.1 is working (this is needed to multi input vpn) that interface is an Internet interface too but we not use this function.

                  I try to explain the structure. See attached image. (fast work.. )

                  ![vpn explanation.jpg_thumb](/public/imported_attachments/1/vpn explanation.jpg_thumb)
                  ![vpn explanation.jpg](/public/imported_attachments/1/vpn explanation.jpg)

                  1 Reply Last reply Reply Quote 0
                  • A
                    Aubete
                    last edited by

                    Bump!

                    1 Reply Last reply Reply Quote 0
                    • DerelictD
                      Derelict LAYER 8 Netgate
                      last edited by

                      I don't know if it's the language barrier or too much information in the diagram but I can't get a handle on what is or is not working. Nor do I understand why NAT is involved on the inside at all.

                      Chattanooga, Tennessee, USA
                      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                      1 Reply Last reply Reply Quote 0
                      • A
                        Aubete
                        last edited by

                        Hi!

                        Thanks the answer.

                        So.. I ty again…

                        Two type of sites are. One is DSL line they connected via public internet acces to vpn servers. The second is connect via Middle Aera Network (multi sites connected via wlan) to vpn servers.

                        first pf-sense handle the database connection from sites. the second pf-sense handle the file related connections from sites. the first pf-sense have 2 internet connection, a MAN connection and several internal lan connection. The second pf-sense have a very fast internet connection, a connection to first pf sense and a connection to file servers.

                        The MAN sites can't connect the internet only tough the first pf-sense.

                        all sites must be connected both of PfSense. but the MAN sites can it only trough the first PfSense (that hande the MAN network).

                        so the MAN network can't routing the second pf-sense's network, so the MAN sites can't reach them.

                        Therefore the VPNs destination is the first PfSense's MAN interface. the first PfSense forwarding the port to second PfSense.

                        The problem is, the second PfSense's response to MAN sites go trough the first PfSense but the first PfSense not translate the output packet source address to MAN interface's IP adress.

                        The packet go trough the first PfS and go to a network than can't handle the second PfS IP address. therefore the MAN sites can't build the VPN connection.

                        The diagram only the structure not showing the problem.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.