Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    1:1 NAT Issue

    Scheduled Pinned Locked Moved NAT
    16 Posts 5 Posters 2.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      amazingnessn
      last edited by

      Hello pfsense community, been having an issue with the firewall that I can't seem to figure out.  I'm trying to assign a separate public IP address to a server behind my firewall.  I've read through several guides like this one: https://forum.pfsense.org/index.php?topic=102363.0 but I keep running into the same issue.

      The problem is that once I setup the separate IP address and assign it to my computer (for testing I've tried this PC and a few others) I can connect, but have horrible lag/packet loss.  Pinging google shows several timeouts and several successful pings, seems to be random.  I'm at a loss.

      What I've done:

      Created a new virtual IP, tried both IP Alias and Proxy ARP as the new public IP
      Created a new NAT 1:1 rule, external subnet IP set to public IP, internal IP set to my PC as single host IP address, destination set to any
      Created a new firewall rule as Pass with protocal as any

      Is there something I'm missing?  Thanks in advance, I appreciate any help I can get.

      1 Reply Last reply Reply Quote 0
      • KOMK
        KOM
        last edited by

        It is rarely a good idea to use 1:1 NAT IMO.  If you're trying to make a service available, a simple port-forward will usually do.  Use an IP Alias for your VIP.

        https://doc.pfsense.org/index.php/How_can_I_forward_ports_with_pfSense

        https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

        https://doc.pfsense.org/index.php/Why_can't_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks

        1 Reply Last reply Reply Quote 0
        • A
          amazingnessn
          last edited by

          @KOM:

          It is rarely a good idea to use 1:1 NAT IMO.  If you're trying to make a service available, a simple port-forward will usually do.  Use an IP Alias for your VIP.

          https://doc.pfsense.org/index.php/How_can_I_forward_ports_with_pfSense

          https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

          https://doc.pfsense.org/index.php/Why_can't_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks

          Right, I've gotten servers setup with port forwarding before, but was trying to see if I could get a separate public IP to work.  I hit a wall and wanted to see if anyone could point out any glaring errors or if it's some kind of bug with pfsense, because as far as I can tell my current configuration should work but it isn't.

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            What type of WAN connection do you have that allows multiple public IP addresses?

            Are you testing from inside or outside?

            Post the screen shots of your WAN interface, WAN Firewall Alias, 1:1 NAT rule, and corresponding WAN firewall rule.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • KOMK
              KOM
              last edited by

              I wish I had a dollar for every person who thought they found a bug in pfSense but it was really a misconfiguration.

              Please post screens of your WAN rules (sanitized of course) and your NAT port-forward, along with network details of the internal server and ports required.

              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by

                some kind of bug with pfsense

                I used to let that bother me. Therapy has helped. ;)

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • A
                  amazingnessn
                  last edited by

                  @Derelict:

                  What type of WAN connection do you have that allows multiple public IP addresses?

                  Are you testing from inside or outside?

                  Post the screen shots of your WAN interface, WAN Firewall Alias, 1:1 NAT rule, and corresponding WAN firewall rule.

                  http://puu.sh/rJ7Fy/b482f4309e.png  ->Public IP 1
                  http://puu.sh/rJ81c/eddeb19722.png  ->Public IP 2, I've found different posts that suggest both IP Alias and Proxy ARP, tried both
                  http://puu.sh/rJ8tc/266673a949.png  ->Public IP 2, Private IP of PC
                  http://puu.sh/rJ8z9/9cf43675df.png    ->Private IP of PC

                  @KOM:

                  I wish I had a dollar for every person who thought they found a bug in pfSense but it was really a misconfiguration.

                  I don't think that it's a bug in pfsense.  I was just explaining that I know this is possible with port forwarding as well, but would like to find out what I'm doing wrong with this setup, because as far as I can tell it should be working, hence why I posted to ask someone else to be kind enough to look at my configuration.  I'm sorry that you seem to have taken offense to my previous post, but I didn't mean anything by it nor was I blaming the software.

                  1 Reply Last reply Reply Quote 0
                  • DerelictD
                    Derelict LAYER 8 Netgate
                    last edited by

                    In the images you posted your 1:1 NAT entry is disabled.

                    Chattanooga, Tennessee, USA
                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    1 Reply Last reply Reply Quote 0
                    • A
                      amazingnessn
                      last edited by

                      @Derelict:

                      In the images you posted your 1:1 NAT entry is disabled.

                      Right, with it enabled I have horrible packet loss so it's disabled until I try something else to fix it again.

                      1 Reply Last reply Reply Quote 0
                      • KOMK
                        KOM
                        last edited by

                        with it enabled I have horrible packet loss

                        How are you testing and measuring?

                        1 Reply Last reply Reply Quote 0
                        • A
                          amazingnessn
                          last edited by

                          @KOM:

                          with it enabled I have horrible packet loss

                          How are you testing and measuring?

                          I've tried different speed testing sites, all come in at ~10% of what typical results are.  Pinging any public IP (google for example) will have several successful ping and several timeouts.  Attempting to reach any website takes significantly longer than usual, occasionally failing to load css or images properly.

                          Disabling the rule returns functionality back to normal.

                          1 Reply Last reply Reply Quote 0
                          • KOMK
                            KOM
                            last edited by

                            Weird.  A 1:1 NAT should have no bearing on other outgoing network traffic.  What version of pfSense, and what are you running it on?

                            1 Reply Last reply Reply Quote 0
                            • A
                              amazingnessn
                              last edited by

                              @KOM:

                              Weird.  A 1:1 NAT should have no bearing on other outgoing network traffic.  What version of pfSense, and what are you running it on?

                              2.3.2-RELEASE-p1 , had tried updating to see if that was a fix but no luck.  I'm using a supermicro X10SLL-F motherboard, xeon e3-1220 v3 cpu, 8gb ram.

                              1 Reply Last reply Reply Quote 0
                              • DerelictD
                                Derelict LAYER 8 Netgate
                                last edited by

                                Sounds like a problem with the ISP to me. Probably time to packet capture on WAN when it is malfunctioning and see what's really going on there. Make sure all the IP addresses and MAC addresses are doing what they are supposed to be doing.

                                Chattanooga, Tennessee, USA
                                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                1 Reply Last reply Reply Quote 0
                                • K
                                  killmasta93
                                  last edited by

                                  so if I understood correctly,

                                  WAN–---LAN
                                    l
                                    l
                                    l
                                  VIP (email server or websites another WAN IP?)

                                  1. What internet provider do you have and is it fiber or is the WAN DHCP?
                                  2. if its fiber usually at least where i live lSP gives 5 static IPs which you can configure using VIP and using the 1:1 no issue
                                  3. if its WAN DHCP then you need another network card because the Modem of the lSP wraps around your MAC and wont let you have 2 IP.  then no need to 1:1 but instead you need to edit the settings on hybrid mode on outbound NAT and add the LAN ip which you want to separate and edit the NAT rules for that IP see pictures

                                  Clipboarder.2016.10.23.png
                                  Clipboarder.2016.10.23.png_thumb
                                  Clipboarder.2016.10.23-002.png
                                  Clipboarder.2016.10.23-002.png_thumb
                                  Clipboarder.2016.10.23-003.png
                                  Clipboarder.2016.10.23-003.png_thumb

                                  Tutorials:

                                  https://www.mediafire.com/folder/v329emaz1e9ih/Tutorials

                                  1 Reply Last reply Reply Quote 0
                                  • johnpozJ
                                    johnpoz LAYER 8 Global Moderator
                                    last edited by

                                    "I wish I had a dollar for every person who thought they found a bug in pfSense but it was really a misconfiguration."

                                    hehe - if that could only go to help fund pfsense ;)

                                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                                    If you get confused: Listen to the Music Play
                                    Please don't Chat/PM me for help, unless mod related
                                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                                    1 Reply Last reply Reply Quote 0
                                    • First post
                                      Last post
                                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.