NAT Port Forward - Destination port range overlaps with an existing entry

Kahnares

Hey, everyone!

I'm hoping someone can point me to a solution. I have several interfaces where I'm trying to reroute VLAN DNS to Unbound at 127.0.0.1:53 but I'm getting the error in the title. As an example:

• Interface: VLAN1
• Source: VLAN1 subnet | Port: Any
• Destination: !VLAN1 Address | Port: DNS
• Redirect IP: 127.0.0.1 | Port: DNS
  <----->
• Interface: VLAN12
• Source: VLAN2 subnet | Port: Any
• Destination: !VLAN2 Address | Port: DNS
• Redirect IP: 127.0.0.1 | Port: DNS

... and a few other VLANs with similar configurations. So, yeah, definitely a port overlap.

This used to work in older versions of pfSense but no longer works in the latest 2.8.1 release. I've seen countless tutorials and guides using this method to forward traffic to the same redirect IP/Port. Usually in the context of multiple WAN connections pointing to a single internal server of some sort. But if this is no longer the accepted method of doing redirects and pfSense flatly refuses to allow this configuration, what is the workaround?

Any help, guidance, pokes with a sharp stick in the right direction are appreciated.

Thanks,
KA

SteveITS

@Kahnares It's documented so yeah should work.

So you can create one rule, but then not a second on any other interface? Are there any other NAT rules on that VLAN?

Kahnares

Thanks for the reply!

There are no other rules in NAT Port Forwards for that VLAN or any other at the moment. It won't let me create any because of the overlap conflict. I have Manual Outbound NAT rules configured for various VLANs:

• Interface = WAN
• Address Family = IPv4
• Protocol = any
• Source
• • Type = Network
• • Source Network = 192.168.x.0 / 24
• • Source port: Blank
• Destination
• • Type = Any
• • Address = Blank
• • Destination Port: Blank
• Translation
• • Address = WAN Address
• • Port = blank

Rinse and repeat for additional VLANs. NAT Port Forwards won't allow me to save any additional rules that point to the same Redirect IP/Port even if the interface, source and destination is a different VLAN.

Edit: Copy/Paste formatting fix.

Kahnares

Quick question for those who might be in the know. I’m at work, so I can’t test anything until this evening, but maybe someone can answer this question in the meantime.

Since my issue is a conflict with the Redirect IP and Port (127.0.0.1:53) on multiple interfaces, can I simply change the loopback IP? Does anyone know if pfSense supports the full 127.0.0.0/8 address space for loopback? Would this work around the issue with the NAT Port Forwards (assuming Unbound is configured to listen on “localhost”, which it is)...?

Thanks,
KA

SteveITS

@Kahnares I know of no reason why it shouldn't be allowed. Perhaps @stephenw10 has some insight...

If you temporarily disable the manual outbound NAT for a VLAN does that change anything?

re: loopback I'd just test at a pfSense command line. nslookup and/or dig should work.

Kahnares

@SteveITS I haven't tried disabling or removing Outbound rules, but it's worth a shot. I'm not sure it would make a difference, but stranger things have happened and it's quick'n'easy to test. Outbound is just directing traffic to the gateways (ISP or VPN, depending on the VLAN). I'll test my loopback theory too.