Public IP from LAN Issues

  • Hi guys,

    First off, thanks for this great product, other than a couple minor issues it performs beautifully and the quality of the product is apparent!

    We setup 1.2.1 today using the LiveCD to test out the product for replacing the Ubuntu / ShoreWall system I built a while back. We managed to solve all issues except for one…

    We have 5 public IP's and set 4 of them up as virtual carp IP's and also on 1:1 NAT. We want to be able to access our servers using the public URL's which works for all servers except for the FTP server. When I go to from inside the network it just times out - not even an auth prompt. Using a ftp client like filezilla doesn't work either. It works fine from the outside so the 1:1 NAT and rules are working. Now, the strange part is, on that same server we have a web server on port 80 and that will work from inside the LAN using the public IP just fine. I really don't understand how 1 could work and not the other.

    I tried enabling / disabling the userland proxy many times to see if that was the problem and that had no effect. I am not sure if I stumbled on a bug in pfSense or if I just don't know how to do this properly.

    Any suggestions or info would be appreciated.


  • I did see this post and read it but I don't think this will help. It says 1:1 doesn't work with reflection but that isn't true - it is working for everything except FTP. I added NAT rules that should work but is doesn't. This seems like a bug in the system to me.

    Do you have any suggestions on how to get FTP to work with 1:1 NAT and reflection?


  • I'm not sure why it works at your place. Maybe you've configured more than just the 1:1 NAT.
    But 1:1 NAT definitly does not work with NAT-reflection

    I would setup split DNS since you're accessing the servers via the name and not the IP.

    If you have problems with ftp i can only suggest:


    1: Disable the ftp-helper on all interfaces.
    2: Define a port-range on your ftp-server for the data-transfer.
    3: forward port 21 and your data-transfer-range to your server.

    Also i wouldnt bother with 1:1 NAT and only use normal port-forwards and aliases.
    –> NAT-reflection will work.

    You can create an alias for each server and define what ports you want to use on it.
    Use this alias in the port-forward-rule and the firewall-rule.

Log in to reply