Nat Pass Works But Rule Does Not

qwaven

Hi there,

So wondering if someone can help me understand why this is not working.

I've got two nat port forward rules setup.

Nothing special from what I can tell.

Both my NAT rules are almost identical.

any source or source port to destination WAN on Destination Port redirect to NAT IP on NAT port

The only difference between the two rules are the NAT IP (two difference servers)
The dest. Ports are different but the NAT Ports are the same.

I've been scratching my head here trying to understand why 1 server will work fine but the other will not.

In short I've determined that when I change the "broken" NAT to use "PASS" instead of referencing the auto-generated rule, the NAT will work.

My understanding here is that PASS will be just that and nothing more. Where if I reference a rule I can then fine-tune it further. ?

So;

1. If I do not customize my rules past the auto generated rule am I creating a less "secure" rule by using pass?

2. What could cause the generated rule to not work? It is identical to the second NAT entry with the exception of the Dest. Port and NAT IP used. Even the NAT Port is the same, both NAT rules point to the same service just on different hosts.

Further to this, when both my NAT rules referenced rules instead of PASS (one NAT would not work)

If I were to reverse the dest. port by putting the working nat's port on the non-working nat's port. The non-working nat would then work. But the previously working nat would stop working.

Happy to post any info.

Hope someone can help.

Cheers!

Bob.Dig

@qwaven You probably have to use a reverse proxy... How about showing the rules?

qwaven

@Bob-Dig said in Nat Pass Works But Rule Does Not:

@qwaven You probably have to use a reverse proxy... How about showing the rules?

Hi Bob-Dig,

Thanks for the reply.

Not sure if its my browser or what but I do not see a way to simply copy the rules. I have attached some screenshots. You may notice one of them I modified slightly so you can see IP instead of alias name.

I also believe I may have miss-wrote slightly. The rules used are floating rules instead of the auto-generated ones as I now recall those never appeared to work.

---

Short history of the rules:
1 nat rule had been setup a good while ago and at that time I must have setup the floating rule to get it working.
The second nat rule is only days old as its a new implementation.

---

So instead of the auto-generated rule on the WAN interface I manually created ones (basically identical) but floating. Not sure if there is any issue with that?

This PFSense instance is likely going to be rebuilt at some point so I am mostly just wanting to confirm if there is any major issue with using pass instead of a rule that passes from any to a specific port. Ideally it would be nice to understand why its not working though.

Cheers!

Bob.Dig

Hm, never had any problem with auto-generated Firewall Rules for a Port Forward. So it seems you don't need a reverse proxy.

Do you try to connect from behind pfSense to these or from external?

qwaven

@Bob-Dig said in Nat Pass Works But Rule Does Not:

Hm, never had any problem with auto-generated Firewall Rules for a Port Forward. So it seems you don't need a reverse proxy.

Do you try to connect from behind pfSense to these or from external?

The purpose of the NAT forwarding is to permit external access (internet) to reach them.

When I am testing I have used a 'is my port open' checking site as well as my mobile connected only to cellular network.

Everything works fine internally, NAT is not required for this purpose.

Cheers!

qwaven

Hi again,

Just wanted to revisit this as I'm not sure if it was confirmed or not. Is there any issue with using the pass option for NAT instead of an actual rule?

I am still not terribly clear on the difference.

Cheers!

jimp

Rules with pass are less flexible since you don't have all the same options as firewall rules. See https://docs.netgate.com/pfsense/en/latest/book/nat/port-forwards.html for more.

If it works, it's OK, but not ideal. If it works and your rule doesn't, then there is probably a problem with the rule or a problem with how you are testing it (e.g. testing from a host in the same WAN subnet as the firewall will behave differently with pass since it doesn't get reply-to)

qwaven

@jimp said in Nat Pass Works But Rule Does Not:

Rules with pass are less flexible since you don't have all the same options as firewall rules. See https://docs.netgate.com/pfsense/en/latest/book/nat/port-forwards.html for more.

If it works, it's OK, but not ideal. If it works and your rule doesn't, then there is probably a problem with the rule or a problem with how you are testing it (e.g. testing from a host in the same WAN subnet as the firewall will behave differently with pass since it doesn't get reply-to)

Thanks for the reply and confirmation.

My testing has always been from the internet side of my WAN port. I've used either my mobile on mobile network or an external site that tests port "openness"

If you think there is still a possibility to get the more proper rules working I would be happy to give it a try if you had any further suggestion? The rules are fairly basic so it won't take me long to switch it back.

Cheers!

qwaven

So just because... I went ahead and removed both NAT rules and any rules for them.

Created just 1 NAT rule and specified to allow it to create an associated rule.

It did all this, I test and I experience the same issue.
-In the application it shows a status which flashes on showing it should be good then seconds later goes back to offline status.
-Externally testing shows the port is down

Tried adjusting the NAT reflection type (always have left it as system default)
Tried proxy, and pure. all appear to have the same result.

Switch to using pass, the NAT rule removes its associated created rule and my application immediately works. Externally testing passes as well.

Second NAT rule...
Did the same tests as above, nothing appears to work.
As I removed my floating rule I originally created to make this work. I switch the NAT rule to also use pass and it works.

Floating rules:

Go in and change both NAT rules to not use Pass or Associate to a rule.
create a basic floating pass rule to allow from any to one of my servers. The server with port 32401 will not work.
The server with port 32400 will work with the floating rule.

And for completeness I change the NAT rule for 32401 back to use PASS and remove the floating rule I created for it. It works right away.

I'm at a loss here as to what else I can be looking at. Open to trying things...

Cheers!

NeoDude

You shouldn't need to be using Floating Rules tbh.
I'm guessing from the port numbers that this is 2 separate Plex servers? If so, did you update the Public port to 32401 in the settings of the second server?

qwaven

Thanks for the reply. This same issue is actually seen on another post of mine.

https://forum.netgate.com/topic/156619/how-to-restrict-openvpn-traffic

Never did find a cause but will likely end up rebuilding which hopefully will solve the issues.

Cheers!