Cannot Get Forwarding



  • Hi,
    I just made a pfsense community server, and made a test pc on the LAN, to check forwarding.
    To avoid the sum of filtering and forwarding, I have disabled the firewall, and will make it up after the forwarding will work. So Actually it should simply act as a router.
    I made a NAT forwarding, of 80 and 90 ports to an IIS with to dummy welcome pages on 80 and 90.

    But I cannot get it working from the WAN network. Already seen some Youtube video, and it seems correct, but we are sure missing something.

    Thanks
    Fabio D'Alfonso


  • LAYER 8 Global Moderator

    If you disable the firewall then how would forwarding work?

    Forwarding is clickity clickity done.. Really!!!  If its not working then follow the troubleshooting guide to where your problem might be.

    https://doc.pfsense.org/index.php/How_can_I_forward_ports_with_pfSense
    https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting



  • Hi,
    thanks, I got in the advanced page, the option to disable the firewall, forwarding is a router activity and for this has a sense that NAT is separated from rules, and if firewall is enabled, you need to set a NAT and ALSO set a rule.
    But, if the firewall is disabled, why should I could not be able to simply forward?

    I already made the NAT and rule

    Interface Protocol Source Address Source Ports Dest. Address Dest. Ports NAT IP NAT Ports Description Actions
    WAN TCP * * WAN address 80 (HTTP)                                 192.168.4.10 80 (HTTP)  
    WAN TCP * * WAN address 90                                         192.168.4.10         90

    States Protocol Source Port Destination Port Gateway Queue Schedule Description Actions
    0/0 B        IPv4 TCP * *             WAN address 90 * none    
    0/0 B        IPv4 TCP * *             192.168.4.10 80 (HTTP) * none NAT

    What are we missing?

    Thanks
    Fabio D'Alfonso


  • LAYER 8 Global Moderator

    Dude if the firewall is disabled how it doing nat, if its not doing nat then why would you forward.

    What are you missing is basic understanding of what a port forward is it seems..  Where is "forwarding" a router function??

    Out of the box you click forward and your done - it Auto creates the firewall rule to create your forward..  This is really less than 10 seconds to accomplish.. If you do not want to nat then do not nat.. But you would have to allow the traffic via a firewall rule.  If your turning off the firewall then NAT is gone and so is port forwarding..  Now it just routes!!!  What is the network on your wan and what is the network on your lan?

    Did you take 3 seconds and read over the port forwarding instructions??



  • Yes, here I was making some mistake, but the forwarding to a NAT address in the LAN was not working also with the firewall active.
    before there are the rules and NATs, could you suggest what is wrong?

    I will be on the lab in half an hour, so I will be able to go on.

    Thanks
    Fabio D'Alfonso



  • I see this in the pfsense the definitive guide. I have only a WAN IP, it is this situation?

    When you have only a single public IP per WAN, your NAT options are limited. You can only use
    1:1 NAT with Virtual IPs, not with any WAN IPs. In this case, you may only use port forwards.

    Thanks
    Fabio D'Alfonso



  • :(

    Hi all,
    without any change, it started to NAT to the 90 port, also if it still does not forward the 80, so it casually works…

    Anyway it is a good base, also if this "I do when I will", is not that good...

    Thanks
    Fabio D'Alfonso


  • LAYER 8 Netgate

    You can port forward with one WAN IP address just fine. You can 1:1 NAT only one address and if you do that you cannot run anything listening on the firewall like an OpenVPN server so few people use 1:1 with only one outside address.

    Port forwarding really does "just work" when you do it right. Not so much when you do it wrong.

    You should maybe post what you've done and/or read and understand these:

    https://doc.pfsense.org/index.php/How_can_I_forward_ports_with_pfSense

    https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

    (Your port 90 destination in the firewall rule needs to be the inside address (192.168.4.10). For the port 80 check for other things on that troubleshooting list like the default gateway and local firewall on 192.168.4.10 itself).



  • Hi,
    thanks.

    You are right, but I made the same config on a vmware and started working, as you told, and as it could be, out of the box.

    I am not sure where is the problem with the physical one, as it seems just rightly configured, as the VM. So the actual issue is what I call the hamster's syndrome, as it seems right, you cannot do more than hamster's wheel, looping what seems correct.

    Thanks
    Fabio D'Alfonso

    @Derelict:

    You can port forward with one WAN IP address just fine. You can 1:1 NAT only one address and if you do that you cannot run anything listening on the firewall like an OpenVPN server so few people use 1:1 with only one outside address.

    Port forwarding really does "just work" when you do it right. Not so much when you do it wrong.

    You should maybe post what you've done and/or read and understand these:

    https://doc.pfsense.org/index.php/How_can_I_forward_ports_with_pfSense

    https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

    (Your port 90 destination in the firewall rule needs to be the inside address (192.168.4.10). For the port 80 check for other things on that troubleshooting list like the default gateway and local firewall on 192.168.4.10 itself).


  • LAYER 8 Global Moderator

    If you have the firewall disabled you sure and the hell are not forwarding anything because your not doing nat..

    What are you wanting to forward too if you only have 1 interface?

    How about you draw up your network are they both rfc1918?, showing your networks on the wan and lan side.  Install pfsense clean don't freaking disable the firewall or nat and then its click click for a forward.  If does not work then see the above troubleshooting guide for where you made a mistake.

    I can tell from being on this forum for many many years that forward issues are 99.99999% of the time PEBKAC or that the traffic is just not even getting to pfsense for it to forward in the first place.  Which if port 80, yeah many an ISP block that inbound.



Log in to reply