Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    NAT Port Forwarding keep forwards to older static ip of the workstation

    Scheduled Pinned Locked Moved
    NAT
    2
    5
    514
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      antionline
      last edited by

      Hi,

      I have a problem with NAT -> Port Forwarding.

      I have been working on this problem almost 1 month.

      My pfsense version is 2.5.2.

      What I have done that, I changed my workstation static ip from 192.168.0.5 to 192.168.0.50.

      Now when I RDC to my workstation remotely, The RDC port still is being forwarded to old ip (192.168.0.5)

      I already changed the ip of my workstation from NAT and Firewall Rules and I did reboot pfsense several times.

      When I changed back to old ip 192.168.0.5 I can get connected immediately.

      The pfsense can not update my old ip of the workstation and keep forwarding the port to the old ip.

      How can I solve this issue?

      Under system log of my firewall I all see the destionation ip is the older one.

      It is not being updated.

      Does anybody knows where the NAT and Firewall rules setting are kept as editing files? Maybe I can find and edit manually.

      Thank you.

      johnpozJ 1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator @antionline
        last edited by johnpoz

        @antionline said in NAT Port Forwarding keep forwards to older static ip of the workstation:

        It is not being updated.

        Can we see the port forward your changing? And then can look for your specific port forwards with

        pfctl -sn

        Here I can see my port forward to my plex
        forward.jpg

        I would also reload your rules and make sure no errors

        reload.jpg

        But to answer your question directly the rules would be stored in your xml.. So you can export the NAT section and then look in there..

        xml.jpg

        On a side note - opening up RDP to the public internet is not a very good idea, do you have this port forward locked down to known specific source IP or network? Its much better idea to remote desktop to stuff on your network while remote via vpn connection.

        It would seem odd that your rules in pfsense are not updating.. Are other rules updating? The output of pfctl -sn would show exactly what the port forwards are.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.7.2, 24.11

        A 2 Replies Last reply Reply Quote 1
        • A
          antionline @johnpoz
          last edited by

          @johnpoz

          "pfctl -sn" I used this command under command prompt, than I found the port 1983.

          The listing is below:
          no nat on bce1 proto tcp from (bce1) to <Workstation> port = 1983
          no nat on bce1 proto udp from (bce1) to <Workstation> port = 1983
          nat on bce1 inet proto tcp from 192.168.0.0/24 to <Workstation> port = 1983 -> 192.168.0.1 port 1024:65535
          nat on bce1 inet proto udp from 192.168.0.0/24 to <Workstation> port = 1983 -> 192.168.0.1 port 1024:65535
          rdr on bce0 inet proto tcp from any to 195.175.8.86 port = 1983 -> <Workstation> round-robin
          rdr on bce0 inet proto udp from any to 195.175.8.86 port = 1983 -> <Workstation> round-robin
          rdr on bce1 inet proto tcp from any to 195.175.8.86 port = 1983 -> <Workstation> round-robin
          rdr on bce1 inet proto udp from any to 195.175.8.86 port = 1983 -> <Workstation> round-robin
          rdr on bge1 inet proto tcp from any to 195.175.8.86 port = 1983 -> <Workstation> round-robin
          rdr on bge1 inet proto udp from any to 195.175.8.86 port = 1983 -> <Workstation> round-robin
          rdr on bge2 inet proto tcp from any to 195.175.8.86 port = 1983 -> <Workstation> round-robin
          rdr on bge2 inet proto udp from any to 195.175.8.86 port = 1983 -> <Workstation> round-robin
          rdr on bge3 inet proto tcp from any to 195.175.8.86 port = 1983 -> <Workstation> round-robin
          rdr on bge3 inet proto udp from any to 195.175.8.86 port = 1983 -> <Workstation> round-robin

          Than I reload the filters again but the static ip is not changed. Still forwards to 192.168.0.5 instead of 192.168.0.50

          The System Logs -> Firewall Log is below
          "Dec 19 19:53:53 WAN NAT RDC to Z240 (1585861034) x.x.x.x:64526 192.168.0.5:1983 TCP:S"

          Than I got NAT Backup, Below xml output:

          -<rule>
          -<source>
          <any/>
          </source>
          -<destination>
          <any/>
          <port>1983</port>
          </destination>
          <ipprotocol>inet</ipprotocol>
          <protocol>tcp/udp</protocol>
          <target>192.168.0.50</target>
          <local-port>1983</local-port>
          <interface>wan</interface>
          -<descr>
          -<![CDATA[RDC to Workstation]]>
          </descr>
          <associated-rule-id>pass</associated-rule-id>
          <natreflection>purenat</natreflection>
          -<created>
          <time>1639913425</time>
          -<username>
          -<![CDATA[admin@x.x.x.x (Local Database)]]>
          </username>
          </created>
          -<updated>
          <time>1639932277</time>
          -<username>
          -<![CDATA[admin@x.x.x.x (Local Database)]]>
          </username>
          </updated>
          </rule>

          I replaced the RDC port for security reasons. I am not locking the port to only 1 host, it is all open.
          Do you have a good guide for us for RDC securing techiniques as well?

          1 Reply Last reply Reply Quote 0
          • A
            antionline @johnpoz
            last edited by

            @johnpoz

            Solved.. Thank you for your support.

            After clearing the config cache and reboot. system back to up-to-date state of current config file.

            No it routes directly to the setted ip under NAT.

            Run command:

            rm /tmp/config.cache

            1 Reply Last reply Reply Quote 0
            • A
              antionline
              last edited by

              Maybe it can be useful to prevent configuration issues, clearing cache automatically after some functions made or every REBOOT.

              I worked on this issue to find almost 1 month.

              Thank you.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.