1:1 NAT on Modem causes Port Forwarding Problems



  • Hello.

    This feels dumb but it's been a long day at work today.  I just loaded pfSense on a box that had SmoothWall on it before (I'm glad we finally changed it over).  The pfSense box has a Static IP of 172.16.19.200.  The gateway is 172.16.19.1, which is a DSL modem with a static IP.  The modem is setup to send all data from 64.13.xxx.xxxto 172.16.19.200.  (1:1 nat, I assume).

    When I setup rules to allow SSH access via the web, it worked fine but when I try to setup the box to forward 3389 to the Windows 2003 server, it doesn't work.  I set NAT to auto-create the rule.  I've setup port forwarding rules before when I was putting the actual static on pfSense box no problem.  I'm guessing it's just this setup that's different that's giving me a problem.  I was looking at possibly a Virtual IP but I dunno.  I just tried setting up a 1:1 NAT (external 64.13.xxx.xxx, internal 172.16.19.200) just for grins but no success.

    Anyone got any ideas as to what I can do to solve this?



  • Can'T you set the modem to bridge mode? IT will simplify things a lot and makes troubleshooting a lot easier.



  • I'd have to check the modem again but the modem isn't located in the same city as the server  :-\ The DSL is in my boss's house.  He has a wireless tower in his backyard that shoots a link 15 minutes south to the big tower we have here.  The company I'm at has a CPE that shoots back to the tower just down the road.  This is how things were done before i came along.

    So it's like this:

    DSL Modem -> Wired -> Backyard Tower -> Wireless -> Main Tower -> Wireless -> Company X

    Oh yeah, EVERYTHING is bridged between the modem and the company.  So I guess that's something I can look into.  I just hope this isn't gonna cause any problems.  They have a whole 'nother subnet (10.1.1.0/24) for all the other customers out here as well with the same equipment.  Shouldn't interfere though I think.

    DSL Modem IP settings:
    WAN: 64.13.xxx.xxx
    LAN: 172.16.19.1

    EDIT I just logged into the modem.  It has Ethernet Bridging.  The modem was set so that the LAN IP is the 'Default Server'.  From what I've read, it just means all data for the WAN IP is forwarded to the specified IP (172.16.19.200).  I'm probably not gonna mess with the Ethernet Bridging for now because I can't get to the DSL modem if I mess something up.



  • I have used pfSense with a setup like yours already (using a modemrouter as gateway with DMZ setting at the modemrouter) which worked just fine. Make sure the modemrouter is not messing things up. Try to make the connection and watch your firewalllogs at status>systemlogs>firewall. Also check diagnostics>states. if you see neither a block nor a state getting generated for the connection it's blocked before it hits the pfsense already (or maybe a routing issue). You also can try to add a "log" to the firewallrule that should pass the connection.



  • I musta been delirious from being out in the sun all muddied up yesterday or something because I just now tried this at our office and it's working fine.  I didn't change my setup  ???

    Oh well, it works so I'm not gonna complain.  :P


Log in to reply