Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    I'm sure I'm being a dummy here….

    Scheduled Pinned Locked Moved NAT
    9 Posts 2 Posters 3.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • I
      islandwifibill
      last edited by

      I have a couple of security cameras on my LAN which connect wirelessly and are accessed with no problems within the LAN.  I want to NAT these two IP addresses w/ports out so that we can view them while out of town.  I followed (or so I think) the instructions for doing so.  When I turn on "NAT Reflection", I am able to hit the public IP address of our pfSense machine and the NAT'd port and view the camera.  With reflection turned off, and hitting the public IP from an outside internet connection, the connection simply times out.  The Firewall log shows that it is passing the traffic.  Here are some facts:

      IP address and port of sec camera:  192.168.4.30:75

      Made-up public ip address and port of the WAN port on the pfSense machine: 1.2.3.4:8080 (obviously, that is not literal)

      Screen shot of the NAT rule:

      k, what the heck am I missing here?

      Many thanks folks in advance.

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        And did you let nat autocreate your firewall rule for you?  Just because you have a nat, does not mean the firewall allows the traffic.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • I
          islandwifibill
          last edited by

          @johnpoz:

          And did you let nat autocreate your firewall rule for you?  Just because you have a nat, does not mean the firewall allows the traffic.

          Yessiree Bobski!  I sure did.

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            and what does your firewall rule show?  Since your changing the port on the nat.

            I just did a test, so I setup rdp port 3389, but changed it to 8933 to send to my private ip.. What is wrong with the firewall rule? ;)

            IPv4 TCP * * 192.168.1.14 8933 * none   NAT

            How is 3389 going to get in to be natted to 8933??

            Your firewall rule is most likely allowing 75 in your example, but your trying to access 8080 which is not allowed.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • I
              islandwifibill
              last edited by

              Here is the NAT rule:
              If       Proto  Src. addr  Src. ports Dest. addr      Dest. ports NAT IP         NAT Ports
              WAN TCP    *         *               WAN address 75               192.168.4.31 8080

              Here is the firewall rule as generated by pfSense:
              Proto Source Port Destination Port  Gateway  Queue
              TCP         *         * 192.168.4.31 8080 *                 none

              This setup fails, with the browser simply timing out on the connection.

              Here is the camera setup – internal ip address of 192.168.4.31 -- its http port is 75.
              I'd like to be able to type in the WAN ip address of my pfSense router and append :8080 to it and be able to hit the camera.

              Like I said, I'm sure I'm being a dummy here :P

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by

                In that rule your sending 75 to 8080

                Is that what you want?  In your first post you said camera was listening on 75

                "IP address and port of sec camera:  192.168.4.30:75"

                Or do you want 8080 sent to 75??

                Also keep in mind its quite possible 75 is blocked by your isp, or even 8080 could be blocked as well..

                But looks like to me you reversed what your wanting to do.

                I could do a simple test to verify, but you might have to allow both ports on the firewall rule as well.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • I
                  islandwifibill
                  last edited by

                  I changed the NAT rule so that I should be able to type in [theWANipaddress]:8080.  Basically, I simply reversed the ports in the NAT rule (per your advice), but still no luck.

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator
                    last edited by

                    And what does the firewall say?

                    And are you sure your isp does not block 8080?  That is a common proxy port that many isp might block.  And your 100% sure your not behind a double nat??  your pfsense has a public IP?  I see it ALL THE TIME!!!  Why wont my port forward work, its because your behind a NAT on the device your trying to forward it on.. So traffic is NEVER seen to be forwarded.

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    1 Reply Last reply Reply Quote 0
                    • I
                      islandwifibill
                      last edited by

                      Well I'm sure I'm being a dummy, but not quite THAT big a dummy, lol  ;)

                      Yes, my pfSense DOES have a public IP address.  It's a machine I use to run a sizeable portion of our WISP, so of that I am quite, quite sure.

                      OK, I tried a couple of things.  First of all, I reconfigured the camera to report on port 80, the standard http port (as you of course know).  Then I decided to NAT port 2468 to 80 in deference to the admittedly common proxy port being potentially blocked by sbcglobal or comcast ( I am connecting a workstation through the former and my service provider is the latter).  Here is a screen cap of what the firewall says:

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.