[SOLVED] Standard port forwarding from WAN -> DMZ host doesn't work

  • Hi all,

    I'm a bit lost, after upgrading from pfSense 1.2.3 to 2.0rc3 I'm somehow unable to get port forwarding to work as before:

    Goal: setup some ports (80, 443, 993 etc.) to forward to a host behind the OPT1 (DMZ) interface.

    My approach was (example with port 80):

    • Create a new port forward rule

    • Interface: WAN

    • Protocol: TCP

    • Destination: alias pointing to server behind DMZ interface

    • Destination Port Range: HTTP

    • Redirect target IP: alias pointing to server behind DMZ interface

    • Redirect target port: HTTP

    • Filter rule association: create new associated filter rule

    This generated a correct firewall rule on WAN interface based on that NAT rule.

    But it doesn't work from the internet side. Any ideas? Thanks in advance.

  • Do you filter egress from DMZ to WAN?

  • Yes, I'm filtering outbound traffic, but this was not the source of the problem.

    Actually it was just RTFM of http://doc.pfsense.org/index.php/How_can_I_forward_ports_with_pfSense%3F as I misinterpreted the destination

    Destination - this specifies the original destination IP of the traffic, as seen before being translated, and will usually be "WAN address".

    So it works now.

  • Step 1:  Go to "Status" -> "DHCP leases" and setup a static DHCP lease for the desired host.

    Step 2:  Go to "Firewall" -> "Aliases" create a host type alias and give it a name [Host_alias_name], use the IP for the Static DHCP lease you created in Step 1.  Save.

    Step 3:  Go to "Firewall" -> "Aliases" create a port type alias and give it a name [Port_alias_name], for your port range enter "1:65535".  Save.

    Step 4:  Go to "Firewall" -> "NAT" on the port forward tab/card add a new NAT. Interface = WAN, External address = Interface address, Protocol = TCP/UDP, External port range = from: (other) in red box [Port_alias_name] to: (other), NAT IP = [Host_alias_name], Local port = (other) in red box [Port_alias_name], Auto-add a firewall rule to permit traffic through this NAT rule should be checked. Save.

    It should be working now!

    Note if your router requires any ports for any services it will not work because you have forwarded it all to the host.  You will need to modify your port type alias to exclude the desired port.  For example if your router needs port 1000 for a service in your port type alias you will need to create one range from 1 to 999 "1:999" and another range from 1001 to 65535 "1001:65535".


Log in to reply