Help! Port forward on additional IP.

  • I am trying to port forward a static ip to an internal ip which hosts a Speco DVR.  The external ip is provided by the local cable internet provider in the form of a static ip from a /24 masked group, the gateway for which is the same as the gateway for my main/internet external ip (on the providers side/network).  Edit: using the latest version of pfsense and a cable modem (Motorola).

    I have set up a nat pointing at the internal ip with the correct port number, this works fine inside my network and I can use the external ip for setups/use.  I started with pure nat then switched to nat+proxy so that I could connect from other internal networks which aren't in the same mask.

    Problem starts here…

    No matter how I configure the port forward, I can not get connected to the DVR from outside the internal network.  Please let me know if I need to provide additional information but I have no idea what to try next.  I have checked and made sure the port is open and connected to the correct ip (oddly enough it was only recognized as being open 75% of the time.... with a network port scan.  My provider is.... grr, anyway I can open the ip to pings and get 25% of pings through... no idea if this is related to my problems).  I have tried using VIP with the external ip that I was assigned, it doesn't seem to make a difference, not completely sure what the VIP is really for so I may of configured it incorrectly but the basic settings are correct.

    Waiting for feedback, thanks!

  • I did some further testing and can open up pings to my public ip, x.x.x.12 and ping it reliably from a nearby location however I can't open up pings to my 2nd public ip x.x.x.16 even though I go through the same steps.  Any tips on associating the 2nd public ip with pfsense for port forwarding?  I have tried the Virtual IP option and the Carp IP option, no success with either of them.  Thanks!

  • I tested the port forward with my WAN public IP in pfsense and everything worked as expected.  However, I need it to work with my secondary public IP address.  I know the IP works since I originally had it directly assigned to the DVR with a vlan connection to the router.

    Any ideas?  I currently have the 2nd IP assigned as a VIP in pfsense but am not seeing any difference from having no VIP assigned.  It honestly feels like the traffic isn't getting to router in the beginning… I did a port scan and now no ports are open on the 2nd ip, even though they are open in pfsense.

  • LAYER 8 Netgate

    Packet capture on WAN for all traffic to the VIP address and attempt a connection. If it is not arriving there is nothing pfSense can do and you need to talk to the ISP.

    You can test the other way by pinging something on the internet (start with the ISP gateway) and selecting the VIP as the source address there.

  • Thanks for your help, I tried pinging out from the firewall to "".  I had no issues pinging from WAN with 100% success rate.  However any additional IPs all failed their first ping repeatedly and occasionally worked on the later pings.  Rough numbers are 75% failure for the first 4 pings and 50-60% failure for the first 10 pings, these results were repeatable over several different tests and different static IPs that aren't part of my WAN address.

    Any ideas based on that?  I am going to restart my modem, retest and then contact my ISP.

  • LAYER 8 Netgate

    Packet capture and see what's really going on. Sounds like the ISP is a little broken though.

  • I am still having some issues with packet lag and loss.  However I can now access the IPs as desired and the packet loss is down to acceptable levels.  I had to call my ISP and get the static IPs directly assigned to the router's mac address.  Thanks for the help!

  • LAYER 8 Global Moderator

    "packet loss is down to acceptable levels. "

    What do you consider acceptable?  Just curious - so zero? ;)

Log in to reply