Test Port Forwarding inside network



  • I am setting up port forwarding. When I tested inside the network, it didn't work. After reading the troubleshooting page, it says that I couldn't test inside the network.
    Does anyone know the reason behind it? Why it cannot be tested inside the network?
    My normal cisco, d-link routers could be tested inside the network. What's the reason of it? Anyway I could work around it?



  • @cpthk:

    I am setting up port forwarding. . . .  Why it cannot be tested inside the network?

    pfSense port forwarding creates a firewall rule to forward connection requests that arrive at the box on a specified interface. Imagine you have created port forwarding rule on the WAN interface. You can't test this by sending a connect request to the WAN IP address trough the LAN interface - such requests do not arrive on the interface in the port forwarding rule.



  • You can enable port reflection, which will make it seem to work.  But it is not a good test as it can reflect without actually passing exterior traffic.

    To truly test it, you need to be outside the network.  An VPN will do this for you.



  • If you do not configure Nat to translate client's source address, pfsense will forward traffic to internal server and this server will try to answer direct to the client with its IP instead of public Nat ip



  • @wallabybob:

    @cpthk:

    I am setting up port forwarding. . . .  Why it cannot be tested inside the network?

    pfSense port forwarding creates a firewall rule to forward connection requests that arrive at the box on a specified interface. Imagine you have created port forwarding rule on the WAN interface. You can't test this by sending a connect request to the WAN IP address trough the LAN interface - such requests do not arrive on the interface in the port forwarding rule.

    The request first arrives at the LAN interface, but shouldn't LAN interface pass the request to WAN ? (just like any other website you go to, those requests get past to WAN and to ISP) So the WAN should also get the request. Is this not true?



  • @cpthk:

    The request first arrives at the LAN interface, but shouldn't LAN interface pass the request to WAN ? (just like any other website you go to, those requests get past to WAN and to ISP) So the WAN should also get the request. Is this not true?

    What request?
    1. Suppose an access to the IP address of the DMZ server. That will go out the DMZ interface.
    2. Suppose an access to the IP address of the hardware interface that is the pfSense WAN interface. That addresses the pfSense box itself so goes no further - it does not go out the WAN interface in the hope that the upstream router will loop it back and hence it is not received (seen by the receive input) by the hardware interface that is the pfSense WAN interface.

    Does that answer the question?


Log in to reply