Port forwarding only working to /24 addresses
-
Hello all, Thanks for in advance for reading my question.
My Pfsense setup is on a /16 subnet(The lan interface is 192.168.1.1/16) with devices ranging from 192.168.0-255.0-255 and they all can use the gateway fine and access the WAN correctly.
However I simply do not understand what Port forwarding is doing.
If I forward port 7000 from a WAN address to a device on the lan(192.168.1.232/16 for example) it will not work, UNLESS I change the subnet on the 192.168.1.232 device to /24.
Example addresses of Port forwarding working
192.168.1.232 With a Subnet of 255.255.255.0
192.168.13.180 With a Subnet of 255.255.255.0Example addresses of Port forwarding not working
192.168.1.232 With a Subnet of 255.255.0.0
192.168.13.180 With a Subnet of 255.255.0.0I have tried different ports/devices and everytime it only works if the lan device is set to a /24 subnet.
Any ideas?
-
I have nat configured on /22 networks with no issues, can you post a screenshot of your nat rule?
-
what's the source IP of the host you're port forwarding traffic from? Out on the Internet, or on a private network? my first guess is you're forwarding in from a 192.168.x.x network and hosts with a /16 mask see that as a local network, which means the replies won't go anywhere.
-
Thank you guys for the replies. I posted 3 images. One of my LAN interface, one of the port forward, and one of the related rule.
I am forwarding the port from WAN address which is a public facing IP on a /5 subnet (It is not a 192 address)
-
I did not found erros on your config.
Do your wan has a valid ip? -
Yes it has a valid wan ip, and I can access the internet via internal devices on both /24 and /16 subnets, but the really odd part is that the ports forwards work fine if I change the device to a /24.
Right now the websites in question are available and being used (Because I switched their internal ip to a /24), but it is really annoying to have to segment parts of our internal network for no logical reason.
-
Time to packet capture, start with the LAN on the firewall, filter on the destination host's IP. If you see it leaving there, go to the target server and capture.
