I'm sure I'm being a dummy here….



  • I have a couple of security cameras on my LAN which connect wirelessly and are accessed with no problems within the LAN.  I want to NAT these two IP addresses w/ports out so that we can view them while out of town.  I followed (or so I think) the instructions for doing so.  When I turn on "NAT Reflection", I am able to hit the public IP address of our pfSense machine and the NAT'd port and view the camera.  With reflection turned off, and hitting the public IP from an outside internet connection, the connection simply times out.  The Firewall log shows that it is passing the traffic.  Here are some facts:

    IP address and port of sec camera:  192.168.4.30:75

    Made-up public ip address and port of the WAN port on the pfSense machine: 1.2.3.4:8080 (obviously, that is not literal)

    Screen shot of the NAT rule:

    k, what the heck am I missing here?

    Many thanks folks in advance.


  • Rebel Alliance Global Moderator

    And did you let nat autocreate your firewall rule for you?  Just because you have a nat, does not mean the firewall allows the traffic.



  • @johnpoz:

    And did you let nat autocreate your firewall rule for you?  Just because you have a nat, does not mean the firewall allows the traffic.

    Yessiree Bobski!  I sure did.


  • Rebel Alliance Global Moderator

    and what does your firewall rule show?  Since your changing the port on the nat.

    I just did a test, so I setup rdp port 3389, but changed it to 8933 to send to my private ip.. What is wrong with the firewall rule? ;)

    IPv4 TCP * * 192.168.1.14 8933 * none   NAT

    How is 3389 going to get in to be natted to 8933??

    Your firewall rule is most likely allowing 75 in your example, but your trying to access 8080 which is not allowed.



  • Here is the NAT rule:
    If       Proto  Src. addr  Src. ports Dest. addr      Dest. ports NAT IP         NAT Ports
    WAN TCP    *         *               WAN address 75               192.168.4.31 8080

    Here is the firewall rule as generated by pfSense:
    Proto Source Port Destination Port  Gateway  Queue
    TCP         *         * 192.168.4.31 8080 *                 none

    This setup fails, with the browser simply timing out on the connection.

    Here is the camera setup – internal ip address of 192.168.4.31 -- its http port is 75.
    I'd like to be able to type in the WAN ip address of my pfSense router and append :8080 to it and be able to hit the camera.

    Like I said, I'm sure I'm being a dummy here :P


  • Rebel Alliance Global Moderator

    In that rule your sending 75 to 8080

    Is that what you want?  In your first post you said camera was listening on 75

    "IP address and port of sec camera:  192.168.4.30:75"

    Or do you want 8080 sent to 75??

    Also keep in mind its quite possible 75 is blocked by your isp, or even 8080 could be blocked as well..

    But looks like to me you reversed what your wanting to do.

    I could do a simple test to verify, but you might have to allow both ports on the firewall rule as well.



  • I changed the NAT rule so that I should be able to type in [theWANipaddress]:8080.  Basically, I simply reversed the ports in the NAT rule (per your advice), but still no luck.


  • Rebel Alliance Global Moderator

    And what does the firewall say?

    And are you sure your isp does not block 8080?  That is a common proxy port that many isp might block.  And your 100% sure your not behind a double nat??  your pfsense has a public IP?  I see it ALL THE TIME!!!  Why wont my port forward work, its because your behind a NAT on the device your trying to forward it on.. So traffic is NEVER seen to be forwarded.



  • Well I'm sure I'm being a dummy, but not quite THAT big a dummy, lol  ;)

    Yes, my pfSense DOES have a public IP address.  It's a machine I use to run a sizeable portion of our WISP, so of that I am quite, quite sure.

    OK, I tried a couple of things.  First of all, I reconfigured the camera to report on port 80, the standard http port (as you of course know).  Then I decided to NAT port 2468 to 80 in deference to the admittedly common proxy port being potentially blocked by sbcglobal or comcast ( I am connecting a workstation through the former and my service provider is the latter).  Here is a screen cap of what the firewall says:


Locked