Unable to configure NAT forwarding rule correctly

  • I'm unable to get traffic to NAT correctly through to an internal IP behind my firewall. I've attached a screenshot of the relevant NAT rule and below are the troubleshooting/diagnostic steps I've carried out. I've also been through the port forward troubleshooting page and as far as I'm concerned I've set everything up correctly.

    Testing from a remote location:

    $ telnet test.domain.com 30000
    Trying 86.x.x.x...
    telnet: connect to address 86.x.x.x: Connection refused

    Packet capture shows inbound traffic:

    05:37:43.325238 IP 77.x.x.x.51193 > 86.x.x.x.32401: tcp 0
    05:37:43.325328 IP 77.x.x.x.51192 > 86.x.x.x.32401: tcp 0
    05:37:43.567784 IP 77.x.x.x.51194 > 86.x.x.x.32401: tcp 0
    05:37:55.798586 IP 77.x.x.x.51198 > 86.x.x.x.32401: tcp 0
    05:37:56.048889 IP 77.x.x.x.51199 > 86.x.x.x.32401: tcp 0

    Firewall logs show it being dropped:

    Aug 10 05:20:50 	WAN 	77.x.x.x:51179		86.x.x.x:30000		TCP:SEC
    Aug 10 05:20:50 	WAN 	77.x.x.x:51180		86.x.x.x:30000		TCP:SEC
    Aug 10 05:20:56 	WAN 	77.x.x.x:51178		86.x.x.x:30000		TCP:S
    Aug 10 05:20:56 	WAN 	77.x.x.x:51179		86.x.x.x:30000		TCP:S

    The port is open from the firewall:

    # telnet 443
    Connected to
    Escape character is '^]'.

  • LAYER 8 Global Moderator

    "05:37:43.325238 IP 77.x.x.x.51193 > 86.x.x.x.32401: tcp 0"

    That is not traffic to your 30000 port you said you forwarded..

    But then you do show drops to 30000 but can not tell when you did what, so for all we know you edited the forward?  Please post screen shot of your firewall wan rules

  • Apologies, you are indeed correct - I had changed the port but pasted the wrong packet capture output. Either way, the traffic is hitting the WAN interface on 30000 and then being dropped.

    I've attached my WAN rules as requested - they're a little messy as I'm fairly new to pfSense, but there aren't too many of them.


  • LAYER 8 Global Moderator

    so is your alias correct?  Look in your table to see that it has your IP.. But your rule you posted was to IP not to alias.

  • @johnpoz:

    and there is not firewall rule for 30000 on there so yeah ts going ot be dropped!!! As it should be..

    OK, so my understanding from the port forwarding docs is that if I create the NAT rule and leave the 'create associated filter rule' box ticked, then that should be sufficient:

    'When adding a port forward, a firewall rule must also be added to allow traffic in to the internal IP address designated by the port forward. There is an option to automatically add this rule when creating a port forward definition, and it is enabled by default.'.

    The auto-added rule is second from bottom.

  • Additionally, the rule you can see for 8123 was created exactly the same way and it works perfectly when tested from an external source.

  • @johnpoz:

    so is your alias correct?  Look in your table to see that it has your IP.. But your rule you posted was to IP not to alias.

    The alias definitely points to the correct IP, but just for troubleshooting's sake I changed the NAT rule to use the IP instead of the alias and now it works.  :-\

    I've attached my alias table.

    This smells like a bug to me.

  • OK, I've since done some more digging and uncovered what I think is probably the root cause of the issue. I changed the NAT rule to listen externally on 443 as this was my ultimate goal and I could then see traffic being dropped again (all I'd changed is the port). I then manually ran a filter reload and traffic started passing - it seems updating a NAT rule doesn't update the corresponding filter rule. Is this the expected behaviour?

  • LAYER 8 Global Moderator

    I have never seen nat not update the firewall rules  or reload the filters.. You can look in the log and see the filter reload.

Log in to reply