NAT not working when destination and redirecting port are different

Landomix · Feb 25, 2023, 5:58 PM

Hi to everyone. I am trying to test pfsense, and my network is setup as follows: there it is a server, running on port 80, connected to the LAN port of the firewall.

The NAT works perfectly if I am keeping the same port, e.g., <FIREWALL_IP>:80 correctly redirects to <SERVER_IP>:80, but if I setup the following rule, tryng to perform the redirection of <FIREWALL_IP>:6666 to <SERVER_IP>: 80, it does not work. (the only thing I changed with respect to before, is the destination port, which, if I am not wrong, should be the one to which I am pointing).
For convenience, in the following there it is an image of the rule.

Here the link to my post in the reddit community of pfsense, containing other tries I've done.

Please, notice that if the internal and external ports are the same, it works perfectly fine.

Version: latest stable, 2.6.0-RELEASE (amd64) built on Mon Jan 31 19:57:53 UTC 2022 FreeBSD 12.3-STABLE.

Thanks in advance for the help!

SteveITS · Feb 25, 2023, 6:28 PM

@landomix further down the page there’s an option to create a linked firewall rule, is that the default of creating the rule? Did you try creating a different rule? The ability works fine, I do it all the time.

Landomix · Feb 25, 2023, 6:47 PM

@steveits yes, I used the default rule, producing the following:

When you say that you use it every day, you mean with different ports? Because if I just do the nat of two addresses with the same port, it works. The problem raises when I change the port that I try to access from the WAN. Theoretically this rule shuld be right with the port "80", because if I'm not wrong, first pfSense first translate the address, and then pass the package through the firewall.

Thanks for the quick response!

SteveITS · Feb 25, 2023, 6:55 PM

@landomix yes different ports. The 584k indicates the rule is matching traffic.

Bob.Dig · Feb 25, 2023, 6:58 PM

@landomix If you test with a browser you have to put in :6666 at the end...

Landomix · Feb 25, 2023, 7:47 PM

@bob-dig I confirm that all the connection tests has been done by adding obviously :6666

Landomix · Feb 25, 2023, 7:50 PM

@steveits unfortunately even if appears that some traffic is being exhanged I still cannot connect tò the server. Is it possibile that the traffic being exchanged is my request which has then been discarded by the firewall?

SteveITS · Feb 25, 2023, 9:06 PM

@landomix no it should have an open state for the reply. Presumably the gateway on the server is the pfSense because it works on the other port.
You could check states and/or a packet capture on LAN…
Have you tried a different alt port? It shouldn’t care but…