Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Unable to configure NAT forwarding rule correctly

    Scheduled Pinned Locked Moved NAT
    9 Posts 2 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      analbeard
      last edited by

      I'm unable to get traffic to NAT correctly through to an internal IP behind my firewall. I've attached a screenshot of the relevant NAT rule and below are the troubleshooting/diagnostic steps I've carried out. I've also been through the port forward troubleshooting page and as far as I'm concerned I've set everything up correctly.

      Testing from a remote location:

      
      $ telnet test.domain.com 30000
      Trying 86.x.x.x...
      telnet: connect to address 86.x.x.x: Connection refused
      
      

      Packet capture shows inbound traffic:

      
      05:37:43.325238 IP 77.x.x.x.51193 > 86.x.x.x.32401: tcp 0
      05:37:43.325328 IP 77.x.x.x.51192 > 86.x.x.x.32401: tcp 0
      05:37:43.567784 IP 77.x.x.x.51194 > 86.x.x.x.32401: tcp 0
      05:37:55.798586 IP 77.x.x.x.51198 > 86.x.x.x.32401: tcp 0
      05:37:56.048889 IP 77.x.x.x.51199 > 86.x.x.x.32401: tcp 0
      
      

      Firewall logs show it being dropped:

      
      Aug 10 05:20:50 	WAN 	77.x.x.x:51179		86.x.x.x:30000		TCP:SEC
      Aug 10 05:20:50 	WAN 	77.x.x.x:51180		86.x.x.x:30000		TCP:SEC
      Aug 10 05:20:56 	WAN 	77.x.x.x:51178		86.x.x.x:30000		TCP:S
      Aug 10 05:20:56 	WAN 	77.x.x.x:51179		86.x.x.x:30000		TCP:S
      
      

      The port is open from the firewall:

      
      # telnet 10.101.0.30 443
      Trying 10.101.0.30...
      Connected to 10.101.0.30.
      Escape character is '^]'.
      
      ```![2017-08-10-060550_1920x1080_scrot.jpg](/public/_imported_attachments_/1/2017-08-10-060550_1920x1080_scrot.jpg)
      ![2017-08-10-060550_1920x1080_scrot.jpg_thumb](/public/_imported_attachments_/1/2017-08-10-060550_1920x1080_scrot.jpg_thumb)
      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        "05:37:43.325238 IP 77.x.x.x.51193 > 86.x.x.x.32401: tcp 0"

        That is not traffic to your 30000 port you said you forwarded..

        But then you do show drops to 30000 but can not tell when you did what, so for all we know you edited the forward?  Please post screen shot of your firewall wan rules

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • A
          analbeard
          last edited by

          Apologies, you are indeed correct - I had changed the port but pasted the wrong packet capture output. Either way, the traffic is hitting the WAN interface on 30000 and then being dropped.

          I've attached my WAN rules as requested - they're a little messy as I'm fairly new to pfSense, but there aren't too many of them.

          Thanks!

          2017-08-10-170727_1920x1080_scrot.jpg
          2017-08-10-170727_1920x1080_scrot.jpg_thumb

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            so is your alias correct?  Look in your table to see that it has your IP.. But your rule you posted was to IP not to alias.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • A
              analbeard
              last edited by

              @johnpoz:

              and there is not firewall rule for 30000 on there so yeah ts going ot be dropped!!! As it should be..

              OK, so my understanding from the port forwarding docs is that if I create the NAT rule and leave the 'create associated filter rule' box ticked, then that should be sufficient:

              'When adding a port forward, a firewall rule must also be added to allow traffic in to the internal IP address designated by the port forward. There is an option to automatically add this rule when creating a port forward definition, and it is enabled by default.'.

              The auto-added rule is second from bottom.

              1 Reply Last reply Reply Quote 0
              • A
                analbeard
                last edited by

                Additionally, the rule you can see for 8123 was created exactly the same way and it works perfectly when tested from an external source.

                1 Reply Last reply Reply Quote 0
                • A
                  analbeard
                  last edited by

                  @johnpoz:

                  so is your alias correct?  Look in your table to see that it has your IP.. But your rule you posted was to IP not to alias.

                  The alias definitely points to the correct IP, but just for troubleshooting's sake I changed the NAT rule to use the IP instead of the alias and now it works.  :-\

                  I've attached my alias table.

                  This smells like a bug to me.

                  2017-08-10-174427_1920x1080_scrot.jpg
                  2017-08-10-174427_1920x1080_scrot.jpg_thumb

                  1 Reply Last reply Reply Quote 0
                  • A
                    analbeard
                    last edited by

                    OK, I've since done some more digging and uncovered what I think is probably the root cause of the issue. I changed the NAT rule to listen externally on 443 as this was my ultimate goal and I could then see traffic being dropped again (all I'd changed is the port). I then manually ran a filter reload and traffic started passing - it seems updating a NAT rule doesn't update the corresponding filter rule. Is this the expected behaviour?

                    1 Reply Last reply Reply Quote 0
                    • johnpozJ
                      johnpoz LAYER 8 Global Moderator
                      last edited by

                      I have never seen nat not update the firewall rules  or reload the filters.. You can look in the log and see the filter reload.

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.