Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Port forward not forwarding (yes, yet another thread.)

    Scheduled Pinned Locked Moved NAT
    4 Posts 3 Posters 897 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      KimmoJ
      last edited by

      Hello.

      I can't get port forwarding to work. Now, I've done it before a fair number of times. On m0n0wall, on pfSense elsewhere, etc. It's not like how to do it is a great mystery, either.  But I must be missing something, so maybe someone else can spot it.

      Yes, I have read https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting and considered 1-15 and I can't see any of those that might apply, except possibly the missing Virtual IP section. Currently, I have just the one on the WAN, .8.34 which is the CARP (and there are virtual carp IP's for all the internal LANs also, there are 4.)

      We have two IP ranges, /28's (16 addresses). pfSense uses three of those (x.x.8.34, .35 and .36, with .34 being the shared CARP.)

      I'm trying to forward .8.42 to the internal address 192.168.27.15, and it seems straightforward. It's just not working.

      Attached the settings for the NAT rule and the associated FW rule.

      The target machine has its firewall turned off entirely. The web server serves up port 443 just fine on the local network. It's gateway is set to 192.168.27.1, the firewall CARP ip.

      Portscanning the .8.42 address from Mxtoolbox for instance shows 443 is closed. Trying to connect to the remote desktop gateway in this case from an external address doesn't work.

      I'm sure it may be something simple, but I'll be hanged if I can figure it out.
      fwrule.png
      fwrule.png_thumb
      nat-fwrule.png
      nat-fwrule.png_thumb

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        So per the troubleshooting doc, you sniffed on the wan see this traffic, and then sniffed on the lan and don't see it go to where your forwarding, or you do see it forwarded?

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • DerelictD
          Derelict LAYER 8 Netgate
          last edited by

          @KimmoJ:

          Yes, I have read https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting and considered 1-15 and I can't see any of those that might apply, except possibly the missing Virtual IP section. Currently, I have just the one on the WAN, .8.34 which is the CARP (and there are virtual carp IP's for all the internal LANs also, there are 4.)

          If you want to port forward 8.42 you need a VIP on WAN for 8.42. Make it type IP Alias and for Interface choose the WAN CARP VIP (8.34).

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • K
            KimmoJ
            last edited by

            Ahh, so for all the 16 external IP's I have (except the 3 used by the fw's and CARP), I set up an IP Alias to point at the CARP VIP?

            I had a feeling it had something to do with the fact that I'm trying to forward to addresses that aren't the actual WAN one, and was looking at issue 7 in the guide, but couldn't really wrap my head around it off hand. Thanks, I'll give that a whirl, appreciate it.

            Edit: Great! That fixed it. No more cranky users. Thanks for the ELI5 explanation.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.