Port forwarding Public IP to a private IP on a VLAN



  • I am having an issue port forwarding a public IP 60.X.X.110 to a PC on a VLAN IP 10.16.0.107

    I am 2 pfSense boxes configured with CARP.

    I have 1 single WAN interface on each with IP's 60.X.X.194 and 60.X.X.195 (Shared Virtual WAN IP of 60.X.X.197)

    I have each public network range on a separate Inteface (using 3 addresses for the 2 x firewall addresses and 1 for CARP VIP)

    I have a LAGG with a couple of VLAN's setup, VLAN16 has 10.16.0.2, 10.16.0.3 as the 2 firewall addresses and 10.16.0.1 as the CARP IP)
    All my public ranges are /28's and my 10.X.X.X ranges are /24 ranges.

    I want to port forward traffic coming into 60.X.X.110 on port 3389 to machine on the VLAN16 subnet on address 10.16.0.107

    I have followed a bunch of tutorials's forum posts and reddit posts, but am unable to get the port forward to work. I have port forwarding working for other public IP's to my non VLAN'd network.

    If anyone could help that would be greatly appreciated.


  • Rebel Alliance Global Moderator

    Vlans have nothing to do with port forwarding.  Pfsense doesn't care either way be it native or tagged, etc..

    Follow the started port forwarding troubleshooting guide.. This really is 10 seconds to figure out where the problem is.

    Validate the traffic gets to the IP you setup the forward on.. Validate the traffic goes out the lan side be it native or vlan interface.. Does the downstream IP answer?  Maybe its running firewall, maybe its not listening.  Maybe - very common problem is that windows out of the box is not going to let you rdp to it from non local network. etc..

    https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

    Happy to help you figure out what your root problem is - but without screenshots showing your forwards and sniffs showing the traffic, etc. its impossible for anyone to help you figure out what your doing wrong.

    Another common issues is the downstream isn't even using pfsense as its gateway, etc.  There are many a common issue users mess up - But non of the info given has really anything to do with getting to the problem your seeing.

    Step 1, does the traffic even get to IP on pfsense, so it can forward it. 
    Step 2, does pfsense actually forward it

    The only step here where it could be pfsense problem is step 2.. If you have step 1, but not step 2 then you need to validate your forward setup on pfsense..



  • Thanks for your help.

    The machine is listening on 3389, because i have also IPSEC tunnels working from remote site and i can remote in to the machine from remote network using the 10.16.0.107 address. But i need it to be internet accessible as well.

    Please see attached NAT, outbound nat rule and firewall rule on WAN interface.

    When i watch the firewall logs and try to RDP to the machine on the public IP, i see no dropped packed in the firewall logs.

    ![NAT rule.PNG](/public/imported_attachments/1/NAT rule.PNG)
    ![NAT rule.PNG_thumb](/public/imported_attachments/1/NAT rule.PNG_thumb)
    ![Outbound NAT.PNG](/public/imported_attachments/1/Outbound NAT.PNG)
    ![Outbound NAT.PNG_thumb](/public/imported_attachments/1/Outbound NAT.PNG_thumb)
    ![Firewall Rule on WAN.PNG](/public/imported_attachments/1/Firewall Rule on WAN.PNG)
    ![Firewall Rule on WAN.PNG_thumb](/public/imported_attachments/1/Firewall Rule on WAN.PNG_thumb)



  • Nevermind… something happened on the windows box and i had allowed RDP through the windows firewall previously for "Work" network's, but now it's identifying as public.