Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    problems with Virtual IP's and port forwarding

    Scheduled Pinned Locked Moved NAT
    4 Posts 4 Posters 587 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      linuxpc4me
      last edited by

      hello All!

      Im flamboozled on using Virtual IP's and port forwarding. Here is an explanation of my system.

      If someone can see why I cannot access the server from outside I'd be very thankful.....

      framework of traffic flow:

      8 static public IP from suddenlink

      (example)
      208.180.145.111
      208.180.145.222
      208.180.145.333
      .444
      .555
      .666
      .777
      .888

      Using netgate sg4860 appliance
      208.180.145.111 is primary WAN

      LAN port is 192.168.2.1 /24 and Ipchicken shows 208.180.145.111 as IP

      I am using OPT1 for my server
      local address on OPT1 = 192.168.222.1 /24 ( to match 2nd public IP )

      The others are Virtual IP's
      Virtual IP's are constructed as:
      Type: IP Alias
      Interface: WAN
      Address type: single address /24

      Port Forward rules for the OPT1 server are:

      interface: WAN (also tried the VIP 208.180.145.222)
      Protocol: TCP (tried tcp/udp as well)
      Destination: WAN
      Destination Ports: other; 6660 TO 6669 (is chat server)
      Redirect target IP: 192.168.222.101 (IP of server chat software is on)
      Redirect target port: other 6660
      NAT reflection "use system default"
      Filter rule association: "add associated filter rule"

      I cannot connect to the chat server externally.
      Internally from the chat server I can ping anywhere and access web, but nothing gets in

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        You need to make sure that the answer the server sends leaves via the vip.. If you forward say .100 to your box but the answer comes from your .200 IP on the wan interface then most clients would not work.

        Simple sniff would for starts show you the traffic gets to your wan interface on the vip. And then sniff on your opt to make sure pfsense sends it on and your server answers.

        Then validate where your answer is leaving your wan from the native IP or your vip.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • S
          SteveITS Galactic Empire
          last edited by

          You need to make sure that the answer the server sends leaves via the vip

          This is done via Firewall/NAT/Outbound. Create a manual rule like:
          source: 192.168.222.101/32
          NAT address: 208.180.145.111

          Then the default rule for 192.168.222.0/24 with NAT address of "WAN address" is below that and will pick up all other PCs for the "normal" WAN IP.

          Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
          When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
          Upvote 👍 helpful posts!

          1 Reply Last reply Reply Quote 0
          • KOMK
            KOM
            last edited by

            https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.