Using Aliases With NAT Redirect Target IP Will Not Work



  • Hello everyone, in pfSense 2.4.3-RELEASE-p1 (amd64) if I set the NAT Redirect Target IP to an Alias then I'm unable to access that particular machine. For example, I have set up an ssh server in my LAN then set the Alias for that machine as well as NAT rule (which auto created a Firewall rule) in pfSense. The only way I can access my machine via ssh is to set the NAT Redirect Target IP to the actual IP address of my ssh server instead of it's assigned Alias. When I change the NAT Redirect Target IP to the machine's IP address it also changes the Firewall Destination rule to the IP address instead of the Alias. Using the IP address in the NAT and Firewall rules works but I'm trying to keep things dynamic so I can change IP addresses with changing Firewall and NAT rules as well. Also, I have set the Alias IP or FQDN to my pfSense's DHCP server's static mapping for that particular machine if that makes a difference. Would anyone be able to shed some light on what is happening?



  • How many ip addresses do you have in Alias?



  • @emammadov

    This is how I have it listed in Alias:

    0_1537348710773_Screen Shot 2018-09-19 at 05.17.47.png

    jam.lan is my domain listed in: System --> General Setup and xubuntu is listed in: "DHCP Static Mappings for this Interface" and corresponds to the correct IP address. I am able to ping: xubuntu.jam.lan from my LAN.



  • Why do you want to use only 1 entry in alias? Alias is designed to contain multiple ip addresses or fqdns. Did you tried to write xubuntu.jam.lan in Redirect target IP? Just in case type the hostname for that ip address in DHCP Static Mappings.



  • @emammadov said in Using Aliases With NAT Redirect Target IP Will Not Work:

    Why do you want to use only 1 entry in alias? Alias is designed to contain multiple ip addresses or fqdns. Did you tried to write xubuntu.jam.lan in Redirect target IP? Just in case type the hostname for that ip address in DHCP Static Mappings.

    I chose to use the Alias because it was the only thing I could get NAT "Redirect target IP" to accept:

    0_1537406374830_Screen Shot 2018-09-19 at 21.17.33.png
    You can see pfSense makes it available in a drop down selection.

    If I enter xubuntu or xubuntu.jam.lan it will not work:

    0_1537406522796_Screen Shot 2018-09-19 at 21.21.48.png

    0_1537406433079_Screen Shot 2018-09-19 at 21.20.17.png

    I had previously set that machine in DHCP Static mapping except I did not append the domain because it says not to below the text box:

    0_1537406895453_Screen Shot 2018-09-19 at 21.27.22.png



  • what is the fdqn of your pfsense?



    1. add hostname "xubuntu" to the ip address of xubuntu server in DHCP Static Mapping
    2. create an alias. name: xubuntu. in IP or FQDN field type "xubuntu.smart.lan". Name should be end in pfsense fqdn
    3. create a NAT. Type the name of alias "xubuntu" in the Redict IP.

    my pfsense hostname is pfsense.smart.lan.
    so I typed xubuntu.smart.lan and it worked.



  • @emammadov said in Using Aliases With NAT Redirect Target IP Will Not Work:

    1. add hostname "xubuntu" to the ip address of xubuntu server in DHCP Static Mapping
    2. create an alias. name: xubuntu. in IP or FQDN field type "xubuntu.smart.lan". Name should be end in pfsense fqdn
    3. create a NAT. Type the name of alias "xubuntu" in the Redict IP.

    my pfsense hostname is pfsense.smart.lan.
    so I typed xubuntu.smart.lan and it worked.

    This is what I have always had for my pfSense name and domain:
    0_1537486681236_Screen Shot 2018-09-20 at 19.37.22.png

    Did you test within your LAN or through your WAN? Mine has always worked within the LAN but will not work from my WAN unless I change the: "Redirect target IP" from the Alias name to the actual IP address of the machine...then it will work from the WAN.



  • @emammadov said in Using Aliases With NAT Redirect Target IP Will Not Work:

    1. add hostname "xubuntu" to the ip address of xubuntu server in DHCP Static Mapping
    2. create an alias. name: xubuntu. in IP or FQDN field type "xubuntu.smart.lan". Name should be end in pfsense fqdn
    3. create a NAT. Type the name of alias "xubuntu" in the Redict IP.

    my pfsense hostname is pfsense.smart.lan.
    so I typed xubuntu.smart.lan and it worked.

    Did you test this within your LAN or WAN?



  • I have tested through WAN and it worked.


  • Netgate

    Why are you using an FQDN alias for the target address of a port forward?

    Lots of people use them to allow certain sources but I don't think I have ever seen anyone try to use it as a target. Why not just WAN address? Or the address of a VIP?



  • @derelict said in Using Aliases With NAT Redirect Target IP Will Not Work:

    Why are you using an FQDN alias for the target address of a port forward?

    Lots of people use them to allow certain sources but I don't think I have ever seen anyone try to use it as a target. Why not just WAN address? Or the address of a VIP?

    I did this because it was the only way I could set a hostname instead of an IP address in the NAT Redirect. I don't understand why I can not use hostnames that I have setup in the Static DHCP Mapping for the NAT Redirect Target? I'm trying to set this up so if I change a host's IP in the Static DHCP Mapping then I do NOT have to change it in the NAT and Firewall as well. In a nutshell I'm trying to avoid using any sort of IP address in those NAT and Firewall fields because I may want to change IP addresses of a machine in the DHCP and don't want to edit multiple fields in different sections of pfSense. Does that make sense?

    I want to ask to make sure we are on the same page because you mentioned using the WAN address. Are you saying use the WAN address in the NAT Redirect? The NAT Redirect needs to be the machine I'm trying to connect with so I don't understand how using the WAN address in that field would correct my problem?



  • @emammadov said in Using Aliases With NAT Redirect Target IP Will Not Work:

    I have tested through WAN and it worked.

    Did you actually test this off your LAN though? If you simply use your WAN's IP address from your LAN that is not an accurate test as pfSense will loopback the connection. The test I do is disconnect my cell phone from the WiFi and use my cell data to make sure the connection works.