Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Port Forwarding Trouble

    General pfSense Questions
    3
    7
    655
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      twalton23
      last edited by

      Hey Guys,

      I am hoping someone can help point me in the right direction when it comes to port forwarding. I am trying to port forward port 443 to an nginx server I have running within a vlan on the Netgate 2100 model.

      Version: 21.02-RELEASE-p1

      My home ISP is ATT and within their Gateway settings I have enabled the IP Passthrough to pass all traffic to the WAN Interface on the Pfsense box. This seems to be working correctly:

      e4a0d56a-754a-448e-b756-d126e1ba7db4-image.png

      I then plugged an ESX server into Switch Port 3 on the Netgate 2100 device. Connection was established and then I went through the below steps to setup the vlan:

      7fac3331-0121-47de-b06f-a9de4d7419eb-image.png

      3dafda89-3ceb-4a2f-9486-d8e76af7535b-image.png

      00627fbb-6276-4dd0-b755-a2f7eebf7d5f-image.png

      8a047f82-3618-42f1-b0d2-751ba64afb12-image.png

      bac48f23-9ff6-42d6-91c6-2b0e20ebf974-image.png

      I am able to spin up a VM within this vlan (192.168.200.11), it is able to reach other servers within the vlan and make outbound connections to the internet, so initially all connection seems fine. I am wanting this to serve as an reverse proxy and am using NGINX to do so. The server is listening on port 443:

      1b2df096-4f28-430a-8ec4-1d21f12ec22c-image.png

      I want this to be publicly accessible so I tried to create the below NAT rule:

      95b80917-554e-4027-883b-acd6c3e8cb03-image.png
      c671e9ba-b4e3-4333-b65b-cab419f705ab-image.png
      91413b10-52fc-4cc3-9af2-bae6d7e0c113-image.png

      The corresponding firewall rule is also created:
      e2c8942e-c44c-41aa-a3cf-a7ce4d0c6e3e-image.png

      However, I cannot connect to it from the public internet

      e03f6539-8bdf-41bf-a128-71b7cf7b7cd6-image.png

      With some troubleshooting, I ran tcpdump on the WAN interface of Pfsense and I see the connection attempts hitting the interface, yet the WAN interface does not seem to be passing the traffic to the internal host on the Server vlan.

      When running the "Test Port" tool within the Web GUI, I get connection failures to that host and port from the WAN interface:

      6ecdc35a-15f5-419d-8378-8158f4524d87-image.png

      However, other Source Addresses (such as the LAN interface) can establish a connection with that host and port:

      97f53a98-00cb-49bb-ac1a-ea85ae507a01-image.png

      I have spent a few days on this and for the life of me cannot figure out what steps I may have missed. I am wondering if it is something with how the vlans are configured but I am not sure.

      Any help or insight would be greatly appreciated!

      Thanks,
      Taylor

      KOMK 1 Reply Last reply Reply Quote 0
      • KOMK
        KOM @twalton23
        last edited by

        @twalton23 IIRC you can't forward tcp/443 if you have pfSense WebGUI listening on that port. Change WebGUI to 444 or something else and then test your port-forward again.

        T 1 Reply Last reply Reply Quote 0
        • T
          twalton23 @KOM
          last edited by

          @kom Hey Kom, thanks for replying. I have already changed the Web Gui to port 8080... I did just discover something else. I got shell onto the pfsense box and ran a traceroute to the internal server from the WAN interface. I see that it is trying to reach the internal IP of the ATT Gateway which seems odd:

          8035fdc2-3c1e-4494-9e65-9c2f4d17aae0-image.png

          Is there a way to statically set a route to this host that takes the gateway of the vlan (192.168.200.1)?

          KOMK 1 Reply Last reply Reply Quote 0
          • KOMK
            KOM @twalton23
            last edited by KOM

            @twalton23 You shouldn't have to do anything with regard to static routes. It should just work. Next step is to do a packet capture on WAN and vlan20 to check that the incoming packets are hitting your WAN, being processed and spit out the vlan to your server.

            Troubleshooting NAT Port Forwards

            Edit; Is your WAN in private IP space? Your modem shouldn't be in the equation at all. It should act as a bridge and nothing more.

            T 1 Reply Last reply Reply Quote 0
            • T
              twalton23 @KOM
              last edited by

              @kom Hey Kom, the WAN is in the public space.

              I have the WAN interface on the Pfsense box set to the Public IP given to me by ATT. I also have their Gateway as the Gateway for my WAN IP. When I run a traceroute from the WAN interface to 192.168.200.11, the first hop is the private IP of the ATT Gateway that is in the house.

              e9888705-7cc9-4685-a708-f117fdb2b2b2-image.png

              Which is odd, cause I cannot connect to their Web UI hosted on 192.168.1.254 unless I take pfsense out of the mix.

              Tcpdump output of WAN interface during traceroute:

              bf38b703-73e0-4b2e-8697-bea1b1764be4-image.png

              The 104.181.152.45 is the public ip assigned to my WAN interface.

              Output of TCPDUMP on vlan interface that serves the 192.168.200.1/24 network:

              938f0f88-abe3-4bde-bc9c-a6c55e3da307-image.png

              So for some reason it seems like pfsense is trying to route to 192.168.1.254 (private ip of ATT Gateway that is out of the mix) to get to 192.168.200.11 and I am not sure why

              KOMK 1 Reply Last reply Reply Quote 0
              • KOMK
                KOM @twalton23
                last edited by

                @twalton23 Simplify this test by using Diagnostics - Packet Capture on WAN and filter by your test address then try to access your server from the client. Then run it again on your vlan20 and filter by your server address and try access again. That will filter out the arp traffic and other crap we're not interested in.

                1 Reply Last reply Reply Quote 0
                • stephenw10S
                  stephenw10 Netgate Administrator
                  last edited by

                  You can't test like that using the WAN. The route-to rules will force and traffic sourced from the WAN IP via it's gateway if there is one defined on the interface.

                  You can try sourcing from another interface to check the target is responding to anything outside it's own subnet. The VLAN 10 interface maybe.

                  Steve

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.