Modem NAT and Pfsense NAT

  • Hi,

    I am not very sure about this but this is my setup:

    Internet –>> ADSL modem ---> Pfsense --> Switch ---> 2 servers

    Modem x.x.x.217
    Pfsense x.x.x.219

    Now when i set NAT for open port 21 on the Pfsense to one of my servers (rules are correct!) the port is still blocked when i check on x.x.x.219. Also the port is blocked x.x.x.217 on the modem.

    No is have set up the same as above at a other location. Where port 21 whas open on the modems side. I could then Portward port 21 with nat on the pfsense and it showed as open.

    Does this mean that you also have to open ports on the modem? I thought then when i set the Modem to Bridged mode then this wouldn't be a problem. Do i need to configure 2 NATs?


  • Hi !

    The modem does only handle the packets and "modulates / demodulates" the signals for you. It does not filter anything (whereas most modern modems have built-in routers which are deactivated).

    Make sure you opened the firewall ports in the rules too, only NAT is only half the way.
    FTP is a nasty protocol when it comes to NAT, because you have to open MANY ports (depending on active or passive FTP).

    I'd recommend you to first test your NAT / rules with a protocol like HTTP and after this one works, you can have a closer look to FTP ;-)

  • LAYER 8 Global Moderator

    "I thought then when i set the Modem to Bridged mode"

    So your sure your in bridge mode?

    What is the first part of the IP your pfsense wan interface has does it start with 10.x.x.x or 192.168.x.x or 172.16-31.x.x if so then its still on private IP behind your natting modem/router.

    What confuses me is you way you give a x.x.x.217 and .219 for your pfsense box??  Once your "modem/router" is in BRIDGE mode it wouldn't have a public IP that you would be concerned with at all.

    How exactly are you checking that the port is blocked.. Are you trying to access the public IP from a machine on your private side (ie same network as servers)?

    That rarely works - and you would have to be allowing for nat reflection in pfsense, etc.

    As to checking if port is on on .217 – completely clueless to what that has to do with anything??

    As mentioned yes NAT is only one part of it, but unless you change the defaults or told it not too pfsense would normally create the firewall rule for you when you create a port forward (nat)

    As to FTP being nasty -- yes this can be the case when there is no ftp helper it can be fun opening up all the ports if you were doing passive connections. Or if you on the client side of active connection.

    With active connection to server, the only firewall port that needs to be forwarded to your server is 21 - normally outbound ports are all open, so should not have to do anything since the firewall is going to make the connection from source of 20 to whatever port the client said to use.

    If the client is making a passive connection to your server, then again you only need to forward and open up 21 to your server since the ftp helper will open up the port the server told the client to connect too.

    You really should not have to do anything but forward 21 to your server.  If your saying it not open I would assume you are trying to check from inside your network and nat reflection is causing you grief.  Or your behind a double nat and port because your modem/router is not really in bridge mode.  Or as mentioned you did not let pfsense create the firewall rule for you when you created the port forward (nat)  Or yet another you forwarded to the wrong IP, or ftp is not running or software firewall on server is blocking, etc.

    Verify your pfsense is not actually behind a nat - and verify you can access your ftp server using internal connection (no firewall on server).  Verify you have both nat and firewall rule to allow 21 to your server and then verify said access from outside your network.

  • Johnpoz thanks for your reaction.

    Oke its like this now. The modem is an siemens SE565. What i did with it i disabled the firewall, turned off the DHCP and set the LAN ip the same as the WAN ip.
    In this case that is 92.x.x.217. I then gave the pfsense the WAN adres: 92.x.x.219.

    As you said about the bridged mode. Im actualy not sure if it is in bridged mode now.. I know that how i set up the Modem that that is called a routed subnet.

    Im checken ports with Canyouseemeenow and other sides. So from outside my network. Port 21 one is just an example. I need to open ports 80,53,443 and 3690. There are 2 servers on the pfsense. 1 one de OPT1 (DMZ) and 1 on the lan side. The one on the opt1 side is a webserver. That needs to acces the internet. But only portforward. Not outbound for these ports.

    But you say that checken port status on my modem 92.x.x.217 is useless? Becease if i open port 443 on my PFsense. and i check port 443 with canyouseeme on ip 92.x.x.219 then is still says its blocked. I will post a screen shot of my nat and rule in a few moments.

  • This is what firewall i need to create with the pfsense. The 10.10 server needs to be accesable trew ports 80,53,443,3690.
    Both servers need to be able to communicate with each other.
    The server need to let out data to the internet trew the same ports. Only may not be accesble from the outside (WAN). Do i need to use outbound nat for the 20.10 server?

    But what the port forwarding concerns. I opent port 443 as you can see below. But when i check with canyouseeme is says the port is closed. Port 80 that i NAT forwarded is open..


    https RULE:

    https NAT:

  • LAYER 8 Global Moderator

    set the LAN ip the same as the WAN ip.  In this case that is 92.x.x.217. I then gave the pfsense the WAN adres: 92.x.x.219.

    and this is working for internet access from your pfsense?

    That is not making sense to me.  You can not put the same IP on both your wan and lan of any device and expect it to actually work ;)

  • Johnpoz,

    The modem has a WAN ip and that ip is the same as the LAN side. 92.x.x.217 in this case. i then gave the Pfsense the wan adres 92.x.x.219.
    This is called routed subnet. My understanding whas then when you have servers behind your pfsense you have to set the Modem as routed subway. So that it works as a bridge and is a dumb modem. Pfsense has nat rule for directing port 80 request to the public server. This works to acces the webserver from a outside network.

    Problem is that i can not open more ports on the pfsense and make them work from outside. It still says port closed on example port 443. So i think the modem is not good configured. Like im double natting…

    Do i need to open ports on Modem and pfsense to make it work?

  • LAYER 8 Global Moderator

    I know exactly what a routed subnet is – you still don't put the same IPs on both the wan and lan interfaces of a device.

    if anything you might put say firstip in routed segment on the wan, and secondip on the lan.

    If you were actually routed the subnet and your pfsense was seeing an IP in that subnet there should be NO nat going on and all ports should be open to the pfsense wan interface.

    Do you see this traffic being blocked on pfsense?

    Do a sniff on your pfsense wan interface -- do you see the packets hit the interface for any traffic your sending to it, be it 21, 443, etc.  If not then clearly something is blocking it before it gets to your pfsense.  Be it a NAT in your "modem" or a firewall before it, etc.  IE is it possible your ISP is filtering traffic to your public ip space that you have from them?

Log in to reply