Simple NAT port forwarding problem - Please help

  • I'm trying to get pfsense to forward TCP over port 80 from my modem to my reverse proxy behind it.

    Without pfsense - everything works great - the backend servers can be accessed via the public IP/domain.

    But I'm not able to resolve the public IP/domain with pfsense in the network as positioned below:
    The reverse proxy and webserver logs show no access.

    –- webserver (192.168.160)
    modem ( --- mac os x (host --- ( WAN) pfsense (LAN --- reverse proxy ( mailserver (192.168.161)
                                                                                                                                                                                                --- dbserver    (192.168.162)

    I've setup a NAT port-forwarding rule (below) and it created an auto-generated firewall rule (not below).

    If   Proto Src. addr Src. ports Dest. addr Dest. ports NAT IP       NAT Ports
    WAN   TCP *         *           WAN address  80 (HTTP)  80 (HTTP)

    I've setup logging of the firewall rule and traffic is shown to pass:

    Aug 28 21:07:45 WAN TCP:S

    If I delete the NAT and firewall rules, then the firewall log shows traffic from the public IP to reverse proxy on port 80 is blocked.

    What rules/settings am I missing to pass traffic to the reverse proxy?

    Pfsense is in a vm as are all backend servers, hosted in the mac.
    But other than having to play with network adapters in virtualbox, this hasn't created any issues that would seem to affect my problem posted here.
    (If you're wondering why I'm using vms or why pfsense isn't between modem and mac - the answer is I'm 'resource constrained'.)

  • This is a networking 101 problem. Traffic will not pass over a router if the traffic is destined on the same interface. If you want it to work this way, you are going to have to setup a bridge. Just so that it is clear. Traffic on will remain on the WAN side for traffic originating from that side and traffic on the will remain on LAN side for traffic originating from the LAN side. There is no reason to pass the traffic on as the resource should be on the vswitch.

    The other way besides a bridge is to change one of the networks to (or something) so that pfsense (or any firewall) can actually route the traffic.

  • Thanks podilarius,

    If I understand you correctly… if I change my reverse proxy and backend servers to be in or something other than, and adjust my NAT rule (which should update the firewall rule), traffic should pass through and the public IP will resolve?

    Originally I tried to bridge the WAN and LAN and assign to OPT1 as per a howto post on making a transparent firewall with pfsense, but as I was still learning which virtualbox network adapters to use, I ended up putting bridging aside.

    I may give it another try now, but I'm curious which is best for my network? It would seem NATing gives flexibility to make pfsense handle load-balancing etc (which my reverse proxy is currently setup to do), but would bridging allow faster networking?

    As I'm a nub at networking... can you recommend any online reading/vids that could get me up to speed on networking basics/fundamentals?

    Thanks again

  • I don't have anything specific. I learned some from a college class and the rest from trial and error and looking it up on the internet and books. try googleing networking fundamentals.

    As far as what you want, bridge is the only way to keep the same IPs. Otherwise you need to NAT (which looks like a double NAT in your case) or … I guess you could also route ... hmmm ... that would require that you have access to your modem in such a way as to add a static route. As in route all to That would be the fastest method IMO. If you don't have that kind of access, then you are going to NAT with either a 1:1 NAT or a port forward NAT.

    And yes, you have to have 2 separate subnets so that you can route between them using a router or firewall.

  • Thanks again!

    While sleepily changing IPs on the reverse proxy, I realised this would mean having to change how I ssh to the vms behind pfsense from the mac host, which is, and I'd also have to change IPs of the vms network adapters.
    I'll have to forgo the flexibility and security of nating and try bridging WAN and LAN again.
    Hopefully I can get it going now that I have network adapters currently working.

Log in to reply