Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Nat Pass Works But Rule Does Not

    Scheduled Pinned Locked Moved NAT
    11 Posts 4 Posters 812 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Q
      qwaven
      last edited by

      Hi there,

      So wondering if someone can help me understand why this is not working.

      I've got two nat port forward rules setup.

      Nothing special from what I can tell.

      Both my NAT rules are almost identical.

      any source or source port to destination WAN on Destination Port redirect to NAT IP on NAT port

      The only difference between the two rules are the NAT IP (two difference servers)
      The dest. Ports are different but the NAT Ports are the same.

      I've been scratching my head here trying to understand why 1 server will work fine but the other will not.

      In short I've determined that when I change the "broken" NAT to use "PASS" instead of referencing the auto-generated rule, the NAT will work.

      My understanding here is that PASS will be just that and nothing more. Where if I reference a rule I can then fine-tune it further. ?

      So;

      1. If I do not customize my rules past the auto generated rule am I creating a less "secure" rule by using pass?

      2. What could cause the generated rule to not work? It is identical to the second NAT entry with the exception of the Dest. Port and NAT IP used. Even the NAT Port is the same, both NAT rules point to the same service just on different hosts.

      Further to this, when both my NAT rules referenced rules instead of PASS (one NAT would not work)

      If I were to reverse the dest. port by putting the working nat's port on the non-working nat's port. The non-working nat would then work. But the previously working nat would stop working.

      Happy to post any info.

      Hope someone can help.

      Cheers!

      Bob.DigB 1 Reply Last reply Reply Quote 0
      • Bob.DigB
        Bob.Dig LAYER 8 @qwaven
        last edited by

        @qwaven You probably have to use a reverse proxy... How about showing the rules?

        Q 1 Reply Last reply Reply Quote 0
        • Q
          qwaven @Bob.Dig
          last edited by

          @Bob-Dig said in Nat Pass Works But Rule Does Not:

          @qwaven You probably have to use a reverse proxy... How about showing the rules?

          Hi Bob-Dig,

          Thanks for the reply.

          Not sure if its my browser or what but I do not see a way to simply copy the rules. I have attached some screenshots. You may notice one of them I modified slightly so you can see IP instead of alias name.

          I also believe I may have miss-wrote slightly. The rules used are floating rules instead of the auto-generated ones as I now recall those never appeared to work.


          Short history of the rules:
          1 nat rule had been setup a good while ago and at that time I must have setup the floating rule to get it working.
          The second nat rule is only days old as its a new implementation.


          So instead of the auto-generated rule on the WAN interface I manually created ones (basically identical) but floating. Not sure if there is any issue with that?

          This PFSense instance is likely going to be rebuilt at some point so I am mostly just wanting to confirm if there is any major issue with using pass instead of a rule that passes from any to a specific port. Ideally it would be nice to understand why its not working though.

          floating_rules.PNG

          nat_rules.PNG

          Cheers!

          1 Reply Last reply Reply Quote 0
          • Bob.DigB
            Bob.Dig LAYER 8
            last edited by

            Hm, never had any problem with auto-generated Firewall Rules for a Port Forward. So it seems you don't need a reverse proxy.

            Do you try to connect from behind pfSense to these or from external?

            Q 1 Reply Last reply Reply Quote 0
            • Q
              qwaven @Bob.Dig
              last edited by

              @Bob-Dig said in Nat Pass Works But Rule Does Not:

              Hm, never had any problem with auto-generated Firewall Rules for a Port Forward. So it seems you don't need a reverse proxy.

              Do you try to connect from behind pfSense to these or from external?

              The purpose of the NAT forwarding is to permit external access (internet) to reach them.

              When I am testing I have used a 'is my port open' checking site as well as my mobile connected only to cellular network.

              Everything works fine internally, NAT is not required for this purpose.

              Cheers!

              1 Reply Last reply Reply Quote 0
              • Q
                qwaven
                last edited by

                Hi again,

                Just wanted to revisit this as I'm not sure if it was confirmed or not. Is there any issue with using the pass option for NAT instead of an actual rule?

                I am still not terribly clear on the difference.

                Cheers!

                1 Reply Last reply Reply Quote 0
                • jimpJ
                  jimp Rebel Alliance Developer Netgate
                  last edited by

                  Rules with pass are less flexible since you don't have all the same options as firewall rules. See https://docs.netgate.com/pfsense/en/latest/book/nat/port-forwards.html for more.

                  If it works, it's OK, but not ideal. If it works and your rule doesn't, then there is probably a problem with the rule or a problem with how you are testing it (e.g. testing from a host in the same WAN subnet as the firewall will behave differently with pass since it doesn't get reply-to)

                  Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                  Need help fast? Netgate Global Support!

                  Do not Chat/PM for help!

                  Q 1 Reply Last reply Reply Quote 0
                  • Q
                    qwaven @jimp
                    last edited by

                    @jimp said in Nat Pass Works But Rule Does Not:

                    Rules with pass are less flexible since you don't have all the same options as firewall rules. See https://docs.netgate.com/pfsense/en/latest/book/nat/port-forwards.html for more.

                    If it works, it's OK, but not ideal. If it works and your rule doesn't, then there is probably a problem with the rule or a problem with how you are testing it (e.g. testing from a host in the same WAN subnet as the firewall will behave differently with pass since it doesn't get reply-to)

                    Thanks for the reply and confirmation.

                    My testing has always been from the internet side of my WAN port. I've used either my mobile on mobile network or an external site that tests port "openness"

                    If you think there is still a possibility to get the more proper rules working I would be happy to give it a try if you had any further suggestion? The rules are fairly basic so it won't take me long to switch it back.

                    Cheers!

                    1 Reply Last reply Reply Quote 0
                    • Q
                      qwaven
                      last edited by

                      So just because... I went ahead and removed both NAT rules and any rules for them.

                      Created just 1 NAT rule and specified to allow it to create an associated rule.

                      It did all this, I test and I experience the same issue.
                      -In the application it shows a status which flashes on showing it should be good then seconds later goes back to offline status.
                      -Externally testing shows the port is down

                      Tried adjusting the NAT reflection type (always have left it as system default)
                      Tried proxy, and pure. all appear to have the same result.

                      Switch to using pass, the NAT rule removes its associated created rule and my application immediately works. Externally testing passes as well.

                      Second NAT rule...
                      Did the same tests as above, nothing appears to work.
                      As I removed my floating rule I originally created to make this work. I switch the NAT rule to also use pass and it works.

                      Floating rules:

                      Go in and change both NAT rules to not use Pass or Associate to a rule.
                      create a basic floating pass rule to allow from any to one of my servers. The server with port 32401 will not work.
                      The server with port 32400 will work with the floating rule.

                      And for completeness I change the NAT rule for 32401 back to use PASS and remove the floating rule I created for it. It works right away.

                      I'm at a loss here as to what else I can be looking at. Open to trying things...

                      Cheers!

                      1 Reply Last reply Reply Quote 0
                      • NeoDudeN
                        NeoDude
                        last edited by

                        You shouldn't need to be using Floating Rules tbh.
                        I'm guessing from the port numbers that this is 2 separate Plex servers? If so, did you update the Public port to 32401 in the settings of the second server?

                        Home Server "Gandalf":  unRAID Pro 6 | MB**:**  ASUS Z9PE-D8 WS | CPU:  Dual Xeon E5-2670 | RAM:  64GB Crucial PC-1600 ECC

                        1 Reply Last reply Reply Quote 0
                        • Q
                          qwaven
                          last edited by

                          Thanks for the reply. This same issue is actually seen on another post of mine.

                          https://forum.netgate.com/topic/156619/how-to-restrict-openvpn-traffic

                          Never did find a cause but will likely end up rebuilding which hopefully will solve the issues.

                          Cheers!

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.