NAT'ing external port on VIP to internet LAN IP



  • so i have a WAN connection with 5 static IPs

    98.1o9.113.99 is the IP of the WAN interface itself and 100, 101, 102 are addresses I've added as IP aliases to my pf sense box.

    The end goal here is to have traffic that hits VIP 09.1o9.113.100 on TCP 80 to be NAT'd to internal host 10.84.5.13

    I tried adding a NAT rule for this without any success.  I then tried putting a FW rule on top of that without any success.  I'm a little stumped.

    I've enclosed screen shots of my configs

    thanks in advance for looking!!







  • The NAT looks ok.  Your firewall rule image is incomplete.  Post a screenshot of the entire firewall rule please from the WAN rules screen.  Sanitize anything sensitive.



  • here is the lower half of the fw rule screen -  display resolution wont let me screen shot the whole thing at once.



  • LAYER 8 Netgate

    Don't set source ports in your Port Forwards.

    You had to click advanced then ignore this:

    Specify the source port or port range for this rule. This is usually random and almost never equal to the destination port range (and should usually be 'any'). The 'to' field may be left empty if only filtering a single port.



  • @Derelict:

    Don't set source ports in your Port Forwards.

    You had to click advanced then ignore this:

    Specify the source port or port range for this rule. This is usually random and almost never equal to the destination port range (and should usually be 'any'). The 'to' field may be left empty if only filtering a single port.

    I'm a little confused by your post. 
    I don't have any source port specified as the screen shots show - i only have destination specified.  Am I misunderstanding what you are trying to tell me?


  • LAYER 8 Netgate



  • Don't set source ports in your Port Forwards.

    D'oh, good catch.  I didn't notice that at all.



  • You don't set source port requirements in the NAT rules. What the rule is now saying is "Perform the RDR only if the source port in the incoming packet is 80" (and of course the other requirements have to be met as well). This is never going to be true for regular HTTP traffic arriving to your end, the source port is going to be a randomly chosen port from range 1024:65535.


Log in to reply