Nat 1:1 and port forwarding not working for me.



  • Version 2.0.1-RELEASE (i386)
    3 network cards.  2 WAN, one LAN.  The WANs have 4 possible addresses - 2 are assigned on the PfSense box.
    The outgoing traffic on the T1/cable modem WANs seem to be working fine for machines on the LAN side.  (With the 1st WAN unplugged the pfSense box can't actually check for updates however.)

    What is not is the incoming from the big bad Internet.  Have a gander at the below and tell me what I did wrong.

    Via Firewall -> Virtual IPs  I created on each WAN port a If Alias.

    The below is the port forwarding NAT

    In the interest of not having the Firewall -> Rules trip me up, I'm letting it all in.
     

      (one can see the auto created rule)

    So where did I go wrong?



  • @mr:

    Via Firewall -> Virtual IPs  I created on each WAN port a If Alias.

    It was a typo or you assigned wan virtual ips and tried to setup nat on want1?

    You may need to change pfsense gui port to something other then 80/443 too.



  • @marcelloc:

    @mr:

    Via Firewall -> Virtual IPs  I created on each WAN port a If Alias.

    It was a typo or you assigned wan virtual ips and tried to setup nat on want1?

    If I go to pfsense.org/ip.php  (the page that says 'your IP is this') I do not get the virtual IP, I get the originally assigned IP as expected.

    I'm not sure what the  typo would be/have been - any clue you can give would be appreciated.

    You may need to change pfsense gui port to something other then 80/443 too.

    This part I did get on my own.


  • Banned

    In 1.2.3 the gui works fine on port 80 with NAT reflection enabled….



  • you told that created all wan ip alias, but your rules are applied on other interface.

    your problem may be there.

    Also you screenshot a port forward screen while you are trying to setup a nat 1.1(the tab next to port forward.)

    If you need to port forward instead of nat 1.1, then you have to setup outbound nat to manual and assign an outgoing address to your natted servers.



  • @marcelloc:

    you told that created all wan ip alias, but your rules are applied on other interface.
    your problem may be there.

    It doesn't create a separate rule tab for the aliased IP as that is still one physical interface.  But given the wide open second entry in the LAN ruleset of

    should the above concern not be addressed?

    If it is helpful - when I go to either the aliased or non aliased IPs on WANT1 the lighthttpd server answers then send back a 'connect via ssh to the same IP address via port 444' or http://204.107.136.1 results in a reconnect to https://204.107.136.1:444.  It acts like the port forwarding isn't turned on.

    The Firewall -> Rules menu and the WANT1 tab

    has both my rule of 'let any packet through' and the auto created rule labelled NAT - 'if it is heading to the webserver let it through' so I'm not sure the rules are wrong.  But that is why I am posting them - to have other eyes look it over and go "ok" or "errp!  wrong!"

    Also you screenshot a port forward screen while you are trying to setup a nat 1.1(the tab next to port forward.)

    In the past I've posted the backup of the config file - but responses seem to go to the people who post the images of the config screen - hence that.

    If you need to port forward instead of nat 1.1, then you have to setup outbound nat to manual and assign an outgoing address to your natted servers.

    My title and presentation is not clear - mea culpa.  NAT 1:1 or port forwarding - neither work for me.



  • configure ip alias on wan (firewall -> virtual ips)
    set port forwarding nat on wan with associated rules(firewall -> nat)
    configure outbound nat to manual and then create your rules (firewall -> nat)



  • @marcelloc:

    configure ip alias on wan (firewall -> virtual ips)
    set port forwarding nat on wan with associated rules(firewall -> nat)
    configure outbound nat to manual and then create your rules (firewall -> nat)

    Trying this:
    ip port forward the.public.ip.address:81 to the web.server.ip.address:80 - that works.

    But NAT 1:1 OR port forwarding the.public.ip.address:80 gets me the pfSense web server.

    in System -> Advanced I checked Disable webConfigurator redirect rule.



  • For access from outside to work, your associated firewall rule for the port forward probably needs the gateway to be specified in the advanced options.  Your web server's replies are probably going out WAN when they should be going out WANT1.  Things only go out the default gateway unless you force it to do otherwise.



  • @Efonne:

    For access from outside to work, your associated firewall rule for the port forward probably needs the gateway to be specified in the advanced options.

    The 'confusing' part was the non-working status.

    Turns out replacement of the motherboard and its on-board Ethernet with a different motherboard now has the config work.

    Wasn't amused how pfSense reset the NAT mappings, but at least it was not thick with custom fiddly bits that were reset.


Log in to reply