• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

[SOLVED] Standard port forwarding from WAN -> DMZ host doesn't work

Scheduled Pinned Locked Moved NAT
4 Posts 3 Posters 10.4k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • C
    comi
    last edited by Jul 11, 2011, 3:38 PM Jul 11, 2011, 11:53 AM

    Hi all,

    I'm a bit lost, after upgrading from pfSense 1.2.3 to 2.0rc3 I'm somehow unable to get port forwarding to work as before:

    Goal: setup some ports (80, 443, 993 etc.) to forward to a host behind the OPT1 (DMZ) interface.

    My approach was (example with port 80):

    • Create a new port forward rule

    • Interface: WAN

    • Protocol: TCP

    • Destination: alias pointing to server behind DMZ interface

    • Destination Port Range: HTTP

    • Redirect target IP: alias pointing to server behind DMZ interface

    • Redirect target port: HTTP

    • Filter rule association: create new associated filter rule

    This generated a correct firewall rule on WAN interface based on that NAT rule.

    But it doesn't work from the internet side. Any ideas? Thanks in advance.

    1 Reply Last reply Reply Quote 0
    • R
      rancor
      last edited by Jul 11, 2011, 11:56 AM

      Do you filter egress from DMZ to WAN?

      1 Reply Last reply Reply Quote 0
      • C
        comi
        last edited by Jul 11, 2011, 3:38 PM

        Yes, I'm filtering outbound traffic, but this was not the source of the problem.

        Actually it was just RTFM of http://doc.pfsense.org/index.php/How_can_I_forward_ports_with_pfSense%3F as I misinterpreted the destination

        Destination - this specifies the original destination IP of the traffic, as seen before being translated, and will usually be "WAN address".

        So it works now.

        1 Reply Last reply Reply Quote 0
        • G
          genrvs
          last edited by Jul 15, 2011, 9:49 AM

          Step 1:  Go to "Status" -> "DHCP leases" and setup a static DHCP lease for the desired host.

          Step 2:  Go to "Firewall" -> "Aliases" create a host type alias and give it a name [Host_alias_name], use the IP for the Static DHCP lease you created in Step 1.  Save.

          Step 3:  Go to "Firewall" -> "Aliases" create a port type alias and give it a name [Port_alias_name], for your port range enter "1:65535".  Save.

          Step 4:  Go to "Firewall" -> "NAT" on the port forward tab/card add a new NAT. Interface = WAN, External address = Interface address, Protocol = TCP/UDP, External port range = from: (other) in red box [Port_alias_name] to: (other), NAT IP = [Host_alias_name], Local port = (other) in red box [Port_alias_name], Auto-add a firewall rule to permit traffic through this NAT rule should be checked. Save.

          It should be working now!

          Note if your router requires any ports for any services it will not work because you have forwarded it all to the host.  You will need to modify your port type alias to exclude the desired port.  For example if your router needs port 1000 for a service in your port type alias you will need to create one range from 1 to 999 "1:999" and another range from 1001 to 65535 "1001:65535".

          ENJOY!

          1 Reply Last reply Reply Quote 0
          4 out of 4
          • First post
            4/4
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
            This community forum collects and processes your personal information.
            consent.not_received