Port Forwarding - Captive Portal - NAT Reflection

  • Hi.  ~~I use NAT reflection to access systems internally by my external DNS name.  I do this because I forward ports to different machines and like to call on them by my DNS name, rather than choosing each IP separately (e.g. my website, ssh on different machines, etc…)  NAT reflection by itself works fine, no problems.

    Until I enabled captive portal.  Once I enable captive portal, NAT reflection no longer seems to work.  I cannot access my port forwarded ports internally by my external dns name. e.g.  When I call on my web server by its external DNS name it times out.

    Any ideas?  Can I not have the best of both worlds?~~

    Actually after investigating more, it seems that none of my firewalls rules are working.  I cannot access any of my port forwards after enabling captive portal, externally or internally.  All machines have their macs added to the pass list and all can access the internet freely.  I am sure someone has run into this before but I cannot find any information.


  • Does anyone else have the captive portal enabled and tried port forwarding?  It seems to break.  I saw a solution of setting all IPs as DHCP and reserving the IP with their mac address and then allowing the portal to pass IPs rather than macs.

    This doesn't sound like the most graceful solution.

    Can anyone else confirm/deny that this is a problem?  After you enable captive portal, your port forwards die even after allowing the pass thru for the mac address (for IPs on that subnet)

    Argh!  I love pfsense so far but this is the last thing I need to get running.  If only my OPT1 worked correctly, then I wouldn't have to run the portal on my main subnet.  I could run it on OPT1 and not worry about that subnet at all.

  • It would help if you would post the version number of the pfSense install you're using.  Screenshots of your rules and port forwarding configuration, possibly that of your captive portal, will also help people spot problems.

  • I will, however the functionality is broken.  I have confirmed from a few other unanswered posts.  I am using the latest pfsense.  As soon as you enable captive portal, it breaks your port forwards.  Nothing complicated, easy to test.

    The only workaround is allowing IPs to pass in the captive portal.  Assigning macs to the pass thru, along with IPs, then assigning reserved IPs is a very long workaround.

  • Just as a heads up to anyone else.  NAT reflection will not work either unless you add the IP that you are using that is trying to access NAT reflected ports to the allow list in the captive portal.  This goes for any host on that network that wants to access ports that are forwarded by their external name.

  • When I used to run version 1.2.3, I never tried/used nat reflection, instead I used split dns and it worked fine with port forwards and captive portal.

    method 2

Log in to reply