NAT Port-Forwarding



  • Hey Guys
    I have a question about setting the NAT .
    My lab is in Esxi ,I have two client OS and one Pfsense
    The Pfsense wan IP 10.10.10.1 & Lan IP 192.168.1.1
    Client OS Win7 (192.168.1.2),Win2008 (192.168.1.3)
    In my reality I can connect the Pfsense wan IP to setting.
    So my problem is How can I use the NAT Port Forwarding to link the Intranet Web Service
    My Setting
    0_1531474419048_0106bb19-84e4-456d-a76f-839bdfc10dd3-image.png
    Is it something wrong ? I'm confuse setting the port number .......



  • The source should be "any". Only the destination is the WAN address.

    In addition go to 'System > Advanced > Admin Access' and set an alternative TCP port for the web GUI and add a check at "Disable webConfigurator redirect rule" to avoid packets to port 80 and 443 are snatched by pfSense.



  • Source port range HTTP, that's your error. This condition will never be satisfied because the client will be using a randomized TCP source port as per the TCP standard. Leave the source port range empty and in general you shouldn't touch advanced options until you have a substantially better understanding of how TCP/IP works.



  • This post is deleted!


  • @kpa
    Hi Sir , I don't understand "This condition will never be satisfied because the client will be using a randomized TCP source port as per the TCP standard"
    The ip of my Win7 client is static.


  • Netgate

    Because when a node makes a connection it will randomly choose an ephemeral port to source the connection from - generally between 1024 and 65535. The destination port is HTTP (80).

    By setting a source port on your rules, the rule will only match if the source and destination ports are both 80. 80 cannot be a source port - ever - because the ephemeral source ports start at 1024.

    You had to click advanced then ignore this Specify the source port or port range for this rule. This is usually random and almost never equal to the destination port range (and should usually be 'any'). The 'to' field may be left empty if only filtering a single port. to get where you are right now - broken.



  • @chieh said in NAT Port-Forwarding:

    The ip of my Win7 client is static.

    a TCP port (e.g. port 80 / HTTP) is something completely different than an IPv4 address



  • Dear all, That's some questions I'm confuse

    I understand the web of client is on 80 port,so I change the port of my pfsense wan port to 9443
    Is it wrong ?

    And u say that the NAT protocol port of pfsense is random,so I can't set the specify port for my lab ?


  • Netgate

    JUST DON'T SET A SOURCE PORT RANGE IN YOUR PORT FORWARD! CHANGE THEM TO ANY!



  • It's not that difficult...

    0_1531869228892_NAT HTTP to local host.png



  • It seems not difficult,but I try it .It don't work too.
    0_1531880250889_819f3c84-15f8-48c0-881f-0b8442cfeb8d-image.png

    And now I can't connect to my web-gui with my wan port
    0_1531880373832_d0210d36-d311-4281-a6e7-8b36ed22b157-image.png

    That's an other interesting setting. I can use the RDP by NAT.
    0_1531882249922_1b48df35-0e59-43b9-b430-cdca973b30cf-image.png



  • @chieh said in NAT Port-Forwarding:

    It seems not difficult,but I try it .It don't work too.

    So you have something else broken as well. You seem effective in doing so.

    @chieh said in NAT Port-Forwarding:

    And now I can't connect to my web-gui with my wan port

    That has nothing to do with your previous problem but it's great to hear!
    -> you DO NOT want the pfSense UI on the public internet. You don't!
    If you need access from non-local sites then use a VPN.

    @chieh said in NAT Port-Forwarding:

    That's an other interesting setting. I can use the RDP by NAT.

    You can but you don't want to. Same as pfSense UI, you do not want to expose RDP to the internet. Use a VPN instead.


  • Rebel Alliance Global Moderator

    Going to repeat jahonix warnings - you do NOT want to open web gui to the public, nor would you want to allow rdp into your network. VPN is better choice here.

    If your RDP port forwarding is working, then look to why your http is not.. Maybe http (80) is not even getting to your wan? Maybe your host your forwarding to is not even listening on 80, maybe it has a host firewall?

    Here is troubleshooting guide for port forwarding.
    https://www.netgate.com/docs/pfsense/nat/port-forward-troubleshooting.html

    I can tell you from being here for 10 some years that 99.99999999% of the time port forwarding problems are PEBKAC..

    With basic troubleshooting it should take you all of 2 minutes to find out what is not correct for the forward to work.. Step 1 if you feel the forward is correctly done is validate that the traffic your trying to forward actually gets to pfsense wan. Packet Capture simple enough to do with the diag menu. Impossible for pfsense to forward something it never sees.



  • @johnpoz - you do NOT want to open web gui to the public, nor would you want to allow rdp into your network. VPN is better choice here.

    IT is wrong. I use the RDP just I want to test the NAT can be work.....

    Finally I wish I can both connect the Pfsense webUI with wan port & connect to my clinet webUI


  • Netgate

    They way you have it now you will have to connect to the web gui on https://wan.address:9443/ (If you have the proper firewall rules on WAN. I will not belabor the point that it is a bad idea to have that open from any address.)

    That will be completely unrelated to any http traffic on any interface on port 80.

    If your WAN rules pass traffic source address any source port any dest address 192.168.1.3 dest port 80 (which is the default for a port forward rule if you do not change the rule creation and linking selection at the bottom of the port forward definition), traffic to WAN Address:80 will be forwarded to 192.168.1.3:80.

    If that is not working, you need to see why that web server is not answering.

    As @johnpoz said, the checklist of things to look at is here:

    https://www.netgate.com/docs/pfsense/nat/port-forward-troubleshooting.html