Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    @ PFSNSE

    Scheduled Pinned Locked Moved NAT
    7 Posts 2 Posters 696 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      bharlequin
      last edited by

      Hi techs,

      I got 2 PFSENSE appliance testing, PFSENSE1 has internet from my isp modem and PFSENSE2 connect to the internet through PFSENSE1
      PFSENSE1 WAN ip: 61.15.15.20
      PFSENSE1 LAN IP: 192.168.100.1

      PFSENSE2 WAN IP: 192.168.100.2 GW 192.168.100.1
      pfsense2LAN ip: 192.168.200.1

      I can get internet from pfsense2 through, I would like to allow a server connected from pfsense 2 access from the wan on pfsense1

      I appreciate any advice o recommendation
      Thank you

      johnpozJ 1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator @bharlequin
        last edited by

        So your server say on 192.168.200.X

        So forward whatever port Y on pfsense1 to 192.168.100.2

        Then on pfsense 2, forward port Y to 192.168.200.X

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        B 1 Reply Last reply Reply Quote 0
        • B
          bharlequin @johnpoz
          last edited by

          @johnpoz

          i tried this but it did not work. will try again.

          will this double nat pose a problem?

          johnpozJ 1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator @bharlequin
            last edited by

            There are many many users behind double nat.. While its not optimal, and can be problematic for some protocols.

            Normally it is not a problem..

            With any port forwarding be it through single nat, double nat or even triple+ etc. Troubleshooting is exactly the same.

            First step is just validate your traffic is even hitting your public wan.. Then validate your forward on your edge is sending to your 2nd router.. Simple packet capture and use of say can you see me . org should take you like 30 seconds to figure out where your problem is.

            Your not trying to test this from inside your own network are you?

            https://docs.netgate.com/pfsense/en/latest/troubleshooting/nat.html
            https://docs.netgate.com/pfsense/en/latest/troubleshooting/nat-port-forwards.html

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            B 1 Reply Last reply Reply Quote 0
            • B
              bharlequin @johnpoz
              last edited by

              @johnpoz

              Thanks for your prompt response. I am not testing from inside my network. I will remove all rule and retry.

              johnpozJ 1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator @bharlequin
                last edited by johnpoz

                First step I would do, before you even do any rules is just test that whatever port your trying to forward is seen on your public wan via test with can you see me . org and packet capture..

                No ports required to be open even to validate you can see the traffic at your edge..

                example.. Say you wanted to forward 4444 (just some random port out of thin air)

                4444.png

                Now I know my wan sees traffic to that port.. Then do your forward to second pfsense wan port.. Do sniff on its wan.. Do you see the traffic?

                For me there is zero point in doing anything until you first validate traffic actually gets to pfsense wan.. Since if its not - you can not forward what it never sees.

                I take it your wanting to forward some tcp port.. UDP can be problematic to test, not an issue sniffing.. But many of the online sites like can you see me . org don't allow for testing udp... So you need some other way to generate the udp traffic to the port your wanting to use.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • B
                  bharlequin
                  last edited by

                  @johnpoz
                  I recreated the Nat rule i was successful in getting this to work, currently monitoring the connection.

                  Thanks for your effort, Thanks

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.