Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Problem forwarding ports to internal IPs

    Scheduled Pinned Locked Moved NAT
    11 Posts 2 Posters 10.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • ?
      Guest
      last edited by

      Hi! I'm unable to forward any port to my internal IP.
      This is my configuration:

      INTERNET
      PFSense
      Tp-Link Router
      LAN connected to tp-link

      PFSense have:
      WAN IP: 23.238.x.x (ISP IP)
      LAN: 10.0.0.1

      TP-Link have:
      IP: 10.0.0.245
      Gateway: 10.0.0.1 (PFsense)
      LAN and Wi-Fi ip range: 192.168.1.x

      Now i need to forward ports 46662-46672 to 192.168.1.103:
      and i made this NAT rules:

      Then i log the traffic:

      And then i test port forward. This is PFSense firewall log (rule allowed):

      But post forward test fail ("FALLITO" mean fail):

      I also tested for other ports like 8080 but nothing to do…
      What can i do?

      EDIT = You should also know that i'm unable to ping any 192.168.1.x IPs from my pfsense shell.
      But i can ping 10.0.0.1 (pfsense LAN address) from any 192.168.1.x computers

      1 Reply Last reply Reply Quote 0
      • GruensFroeschliG
        GruensFroeschli
        last edited by

        Your NAT rules are wrong.
        Your destination is the pfSense itself and as WAN you have any.

        The destination should be the server you want the services on 443 and 22.
        As external address you should have your WAN-address.
        Or are these two rules intended to allow access to the pfSense?
        In this case: delete the rules alltogether. You dont need them. The GUI and SSH can be accessed on the WAN IP directly.
        You just need appropriate rules on the WAN-interface.

        Your third rule should have as ext: the WAN-interface and not any.

        How is your TP-Link configured?
        Is it doing NAT? Is it a bridge? A normal router?
        Did you configure a static route on the pfSense pointing to the IP of the TP-Link for the subnet behind it?

        PS: Your title is very missleading.
        pfSense does forwards perfectly. You most probably have a missconfiguration.
        Or your setup is completly wrong and cannot work in the first place.

        We do what we must, because we can.

        Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

        1 Reply Last reply Reply Quote 0
        • ?
          Guest
          last edited by

          Your NAT rules are wrong.
          Your destination is the pfSense itself and as WAN you have any.

          The destination should be the server you want the services on 443 and 22.
          As external address you should have your WAN-address.
          Or are these two rules intended to allow access to the pfSense?
          In this case: delete the rules alltogether. You dont need them. The GUI and SSH can be accessed on the WAN IP directly.
          You just need appropriate rules on the WAN-interface.

          Yep, the first 2 rules (for 443 and 22) was made to access on pfsense directly. If i dont need it i will remove.
          However you should know that my isp is Fastweb, it work a little different from others isp.

          Your third rule should have as ext: the WAN-interface and not any.

          Ok, i made what you mean:

          But port test continue to fail

          How is your TP-Link configured?
          Is it doing NAT? Is it a bridge? A normal router?

          Tp-Link is default configured, no NAT no Bridge.

          Did you configure a static route on the pfSense pointing to the IP of the TP-Link for the subnet behind it?

          Nop

          PS: Your title is very missleading.
          pfSense does forwards perfectly. You most probably have a missconfiguration.
          Or your setup is completly wrong and cannot work in the first place.

          Ok, title changed, sorry.

          1 Reply Last reply Reply Quote 0
          • GruensFroeschliG
            GruensFroeschli
            last edited by

            Ok in this case it's just a standard router.
            For the pfSense to know where to send the traffic to, you need to create a static route for 192.168.1.0/24 pointing to 10.0.0.245.
            Try first to test if you can ping from the pfSense itself to the server you want to forward ports to.

            What exactly do you mean, that your ISP is a little different?

            We do what we must, because we can.

            Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

            1 Reply Last reply Reply Quote 0
            • ?
              Guest
              last edited by

              Ok, i have made the static route:

              Now:
              ping 10.0.0.245        –-> OK
              ping 192.168.1.1      ---> OK
              ping 192.168.1.103  ---> KO

              [root@firewall.r00tati]/root(20): ping -c 2 192.168.1.103                                                                                                
              PING 192.168.1.103 (192.168.1.103): 56 data bytes                                                                                                            
              
              --- 192.168.1.103 ping statistics ---                                                                                                                        
              2 packets transmitted, 0 packets received, 100.0% packet loss
              

              What exactly do you mean, that your ISP is a little different?

              Fastweb is not PPP, it use NAT system for theire users. It assign us internal IP (in my case 23.238.x.x) and we do not have a public IP.
              This is a simple explanation of fastweb Network

              This is the result of netstat -rn

              [root@firewall.r00tati]/root(21): netstat -rn                                                                                                                
              Routing tables                                                                                                                                               
              
              Internet:                                                                                                                                                    
              Destination        Gateway            Flags    Refs      Use  Netif Expire                                                                                   
              default            23.238.136.1       UGS         0   409846    vr1                                                                                          
              10.0.0.0/24        link#1             UC          0        0    vr0                                                                                          
              10.0.0.245         00:19:e0:f9:0e:2f  UHLW        2   604988    vr0   1077                                                                                   
              10.0.8.2           10.0.8.1           UH          0        0   tun0                                                                                          
              23.238.136.0/21    link#2             UC          0        0    vr1                                                                                          
              23.238.136.1       00:90:1a:X  UHLW        2      480    vr1    638                                                                                   
              23.238.141.X     00:13:c8:X UHLW        1        4    vr1   1126                                                                                   
              23.238.141.X     127.0.0.1          UGHS        0        0    lo0                                                                                          
              127.0.0.1          127.0.0.1          UH          1        0    lo0                                                                                          
              192.168.1.0/24     10.0.0.245         UGS         0       18    vr0                                                                                          
              
              Internet6:                                                                                                                                                   
              Destination                       Gateway                       Flags      Netif Expire                                                                      
              ::1                               ::1                           UHL         lo0                                                                              
              fe80::%vr0/64                     link#1                        UC          vr0                                                                              
              fe80::20d:b9ff:fe1a:2718%vr0      00:0d:b9:X             UHL         lo0                                                                              
              fe80::%vr1/64                     link#2                        UC          vr1                                                                              
              fe80::20d:b9ff:fe1a:2719%vr1      00:0d:b9:X             UHL         lo0                                                                              
              fe80::%lo0/64                     fe80::1%lo0                   U           lo0                                                                              
              fe80::1%lo0                       link#4                        UHL         lo0                                                                              
              fe80::20d:b9ff:fe1a:2718%tun0     link#8                        UHL         lo0                                                                              
              ff01:1::/32                       link#1                        UC          vr0                                                                              
              ff01:2::/32                       link#2                        UC          vr1                                                                              
              ff01:4::/32                       ::1                           UC          lo0                                                                              
              ff01:8::/32                       link#8                        UC         tun0                                                                              
              ff02::%vr0/32                     link#1                        UC          vr0                                                                              
              ff02::%vr1/32                     link#2                        UC          vr1                                                                              
              ff02::%lo0/32                     ::1                           UC          lo0                                                                              
              ff02::%tun0/32                    link#8                        UC         tun0      
              

              And this is the configuration of my router:

              1 Reply Last reply Reply Quote 0
              • GruensFroeschliG
                GruensFroeschli
                last edited by

                Well 23.238.x.x is a public IP ;)
                Private IPs are
                10/8
                172,16/12
                192.168/16
                (and to some extent 169.254/16)

                Since you can ping now the private IP of your second router we can be sure that the pfSense knows how to reach it.
                Are you sure that you dont have a firewall on the client?

                What i dont understand right now is, that your accesspoint has the same IP on the WLAN and the LAN.
                If it's a normal router this should confuse it and mess up it's routing table.
                Can you ping 192.168.1.103 from your second router?

                We do what we must, because we can.

                Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

                1 Reply Last reply Reply Quote 0
                • ?
                  Guest
                  last edited by

                  Since you can ping now the private IP of your second router we can be sure that the pfSense knows how to reach it.

                  Yep, it's a good point!

                  Are you sure that you dont have a firewall on the client?

                  Yes, i use linux and there are no iptables rules

                  What i dont understand right now is, that your accesspoint has the same IP on the WLAN and the LAN.
                  If it's a normal router this should confuse it and mess up it's routing table.
                  Can you ping 192.168.1.103 from your second router?

                  Yes i'm able to ping 192.168.1.103 for another 192.168.1.x

                  1 Reply Last reply Reply Quote 0
                  • ?
                    Guest
                    last edited by

                    What i do is:

                    1. Add static routing (System–>Static routing) like this:

                    2. Add new NAT rules like this:

                      Where 10.0.0.245 is your Router IP Address

                    3. Go in your router configuration and add a new port forwarding like this:

                      Forward the same port to the correct IP (in my case 192.168.1.103)

                    1 Reply Last reply Reply Quote 0
                    • GruensFroeschliG
                      GruensFroeschli
                      last edited by

                      Don't set the external address in the portforward to any.
                      Set it to the external address.

                      We do what we must, because we can.

                      Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

                      1 Reply Last reply Reply Quote 0
                      • ?
                        Guest
                        last edited by

                        Don't set the external address in the portforward to any.
                        Set it to the external address.

                        Oops, right! Edited

                        It doesnt work at all :S

                        1 Reply Last reply Reply Quote 0
                        • ?
                          Guest
                          last edited by

                          Solved disabling "  Block private networks" and " Block bogon networks"

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.