NAT Port Fordwarding to VLANS



  • I need some help I am going nuts basically I have the following setup

    Pfsense on a esxi host with 2 VLANS

    WAN IP: 81.10.10.10 (example)

    Customer 1 Vlan 10 – 192.168.10.1/24
    Customer 2 Vlan 20 – 192.168.20.1/24

    The problem I have is I am unable to NAT, PORT FORDWARD to VLAN 10 to device which has IP address 192.168.10.5 Port 5060, I’ve tried everything and messed around with the firewall rules too just can’t get it working, anyone point me the right direction please?





  • thanks let me read through this, if i fail i'll post things in detail with screenshots etc, thanks



  • I'm sorry but i seem to have other issues now my clinets connected to VLAN 10 are not getting DHCP IP Address, i must be doing something dumb you guys must hate newbies  ;D

    I am using a VMware Esxi 6.0 server setup as per screenshot

    ![esxi setup.jpg](/public/imported_attachments/1/esxi setup.jpg)
    ![esxi setup.jpg_thumb](/public/imported_attachments/1/esxi setup.jpg_thumb)







  • I'm no VLAN expert, but aren't you typically supposed to bond your VLANs to your LAN NIC?  Yours appears to be associated with your WAN NIC.  Next, I don't think you're supposed to use 4095 as a VLAN ID unless it's a trunk port.  Lastly, you showed screens of your LAN rules, but the critical info is in your WAN rules and NAT port forward.  Post those, with any public details sanitized before you post.



  • see the thing i am building an esxi box which will be used for colocation into a datacenter so i'll have 1 network WAN network link, this esxi server will be an all in one box with firewall and hosted VM's

    Pfsense VM  nic's are setup as;

    NIC 1 - WAN
    NIC 2 - LAN (i was under the impression this need to be all VLAN truck port)

    Once this box goes into the datacenter i'll just one network WAN

    its pretty much a fresh install and haven't mess about with it too much.

    what i can't figure out why any clients on customer1 network not getting internet or DHCP IP addresss, just checked LAN1 getting an IP from DHCP but no internet can't ping 8.8.8.8 however i can ping gateway of 192.168.1.1 i  feel like a retard  ;D

    ![wan rules.jpg](/public/imported_attachments/1/wan rules.jpg)
    ![wan rules.jpg_thumb](/public/imported_attachments/1/wan rules.jpg_thumb)
    ![Port Forwarding.jpg](/public/imported_attachments/1/Port Forwarding.jpg)
    ![Port Forwarding.jpg_thumb](/public/imported_attachments/1/Port Forwarding.jpg_thumb)






    ![pfsense LAN - all vlans.jpg](/public/imported_attachments/1/pfsense LAN - all vlans.jpg)
    ![pfsense LAN - all vlans.jpg_thumb](/public/imported_attachments/1/pfsense LAN - all vlans.jpg_thumb)



  • OK so you deleted your port forwards and now you have nothing, but that's OK since you need to get basic connectivity working first.  I notice that CUSTOMER1, which is on VLAN10 (172.16.11.1/24), is being served 192.168.10.x IP addresses from your DHCP pool.

    While this is a case of the blind leading the blind, I'll try to free up some time to try this myself with a similar config to yours.



  • sorry i should have updated the orginal post first, i done a reset to factory defaults so i could start from scatch with clean install and with basics from ground up.

    its been configured now as following

    LAN default 192.168.1.1/24

    Customer 1 Vlan 10 – 192.168.10.1/24

    I have only the two networks setup now just want to get a grip of basics then can add more customer networks this is to aviod any confusion.



  • OK, I was wrong about assigning ID 4095 to ESXi.  I'm going to spin up a new ESXi 6U2 server since I don't want to hose my production stuff.  I'll play with it and get back to you for sure because this is something that also interests me.



  • what an idoit i am !!!! just noiced i have setup customer1 on WAN interface which is wrong! hence the reason i had no DHCP from it

    I think i've sorted the basics now i am move back to this port forwarding to VLAN 1

    ![wrong nic.jpg](/public/imported_attachments/1/wrong nic.jpg)
    ![wrong nic.jpg_thumb](/public/imported_attachments/1/wrong nic.jpg_thumb)



  • Good news!  OK, give it a go and see if you can get a port forward working.  Post back if you can't.



  • Some good news i have got NAT working on flat network with WAN and LAN without VLANS i followed a guide, the main issue i think i was having the OUTBOUND  NAT generation needed to be turned to manual with Port Preservation and setting added (it explains it well in the link below)

    http://www.3cx.com/blog/voip-howto/pfsense-firewall/

    Going to test this next on a few customer vlans see if works as it should.



  • You might want to go to Hybrid on your NAT/outbound….