Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Issues with NAT 1:1 or Port Forward

    Scheduled Pinned Locked Moved NAT
    8 Posts 2 Posters 2.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      gumbadio
      last edited by

      I recently setup pfsense to test if our ASA had some hardware issues.  Basic internal setup was fine everything inside gets DHCP and internet access.  I only added 1 firewall rule to allow external ping on the wan address for some testing of connectivity.

      We use Comcast Business so I set my WAN to XXX.XXX.XXX.161/29 with Gateway of XXX.XXX.XXX.166
      I add a VirtualIP of XXX.XXX.XXX.162/32 as a IP Alias
      I currently have it set as a port forward with the only options touched as Destination used the dropdown for the VIP created .162.  Destination port HTTP.  Redirected target IP and port 192.168.13.10 and 80.
      pfsense auto created a rule for it with settings of PASS/WAN/TCP/Source=any/Destination=192.168.13.10/Port=80.  I went in after and selected the log checkbox.

      If I run a tcpdump on my wan interface I do see that the requests get there from my phone on an external IP.  I don't see anything in filter.log related to my .162 VIP.

      What would be my next step in trouleshooting this do you think?

      Thanks for any help.

      edit: I also had some issues when using 1:1 where my settings were
      WAN/xxx.xxx.xxx.162/InternalI=192.168.13.10/Destination=any

      edit2: Also changed my VIP to have same CIDR as WAN of /29.  no effect

      edit3:

      
      tcpdump output
      [2.0.1-RELEASE][root@pfsense.carousel]/root(2): tcpdump -i em0 -n dst port 80 and dst host xxx.xxx.xxx.162
      tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
      listening on em0, link-type EN10MB (Ethernet), capture size 96 bytes
      11:58:59.511166 IP 174.238.204.20.60714 > xxx.xxx.xxx.80: Flags [s], seq 4192248742, win 5840, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
      11:59:02.511230 IP 174.238.204.20.60714 > xxx.xxx.xxx.80: Flags [s], seq 4192248742, win 5840, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
      11:59:08.511252 IP 174.238.204.20.60714 > xxx.xxx.xxx.80: Flags [s], seq 4192248742, win 5840, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
      
      [2.0.1-RELEASE][root@pfsense.carousel]/root(4): tcpdump -i em1 -n dst port 80 and dst host 192.168.13.10
      tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
      listening on em1, link-type EN10MB (Ethernet), capture size 96 bytes
      
      So the traffic gets to WAN interface but doesnt get NAT'd through it seems
      
      VIP SS attached
      ![VIP.png](/public/_imported_attachments_/1/VIP.png)
      ![VIP.png_thumb](/public/_imported_attachments_/1/VIP.png_thumb)[/s][/s][/s]
      
      1 Reply Last reply Reply Quote 0
      • G
        gumbadio
        last edited by

        Rules SS

        Rules.png
        Rules.png_thumb

        1 Reply Last reply Reply Quote 0
        • G
          gumbadio
          last edited by

          NAT SS

          NAT.png
          NAT.png_thumb

          1 Reply Last reply Reply Quote 0
          • G
            gumbadio
            last edited by

            [2.0.1-RELEASE][root@pfsense.carousel]/root(5): pfctl -s nat
            no nat proto carp all
            nat-anchor "natearly/*" all
            nat-anchor "natrules/*" all
            nat on em0 inet from 192.168.8.0/21 port = isakmp to any port = isakmp -> xxx.xxx.xxx.161 port 500
            nat on em0 inet from 127.0.0.0/8 port = isakmp to any port = isakmp -> xxx.xxx.xxx.161 port 500
            nat on em0 inet from 192.168.8.0/21 to any -> xxx.xxx.xxx.161 port 1024:65535
            nat on em0 inet from 127.0.0.0/8 to any -> xxx.xxx.xxx.161 port 1024:65535
            no rdr proto carp all
            rdr-anchor "relayd/*" all
            rdr-anchor "tftp-proxy/*" all
            rdr on em0 inet proto tcp from any to xxx.xxx.xxx.162 port = http -> 192.168.13.10
            rdr-anchor "miniupnpd" all
            
            1 Reply Last reply Reply Quote 0
            • C
              cmb
              last edited by

              your rules are fine. Add a -e to the tcpdump to ensure the dest MAC address is correct. Then go through the other items:
              http://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

              1 Reply Last reply Reply Quote 0
              • G
                gumbadio
                last edited by

                Thanks, I had to take it out of active use until I resolve the NAT so will put it back in place and test with that next morning I can get in before rest of office and swap them out.

                1 Reply Last reply Reply Quote 0
                • C
                  cmb
                  last edited by

                  If you're swapping boxes in and out you're likely having problems because of a stale upstream ARP cache, that'll have to be cleared.

                  1 Reply Last reply Reply Quote 0
                  • G
                    gumbadio
                    last edited by

                    Looks like it may have been hardware related on the PC side.  Tested a different machine and it seems to be working properly now.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.