1:1 NAT on pfSense 2.0.1



  • Greetings,

    I am trying to make a dead simple 1:1 NAT from one wan address to an internal server. I was assigned the x.x.x.152/29 address for my WAN from my ISP, and designated the ip x.x.x.154 for pfsense while x.x.x.153 is its gateway. I can use pfsense as gateway for internet just fine. Now I want to open my web server to the world. I first created a virtual IP x.x.x.155/29 on the WAN interface as an IP alias, then a 1:1 NAT pointing x.x.x.155 to 10.0.0.215, which is my web server and finally created a respective firewall rule on the wan interface allowing traffic from wan to 10.0.0.215 on port 80. The same as on http://www.youtube.com/watch?v=5lMRA1ntgz8

    Is that all? Have I missed something? With this setup x.x.x.155 opens up pfsense login screen and not my web server. Can anybody help me track what's wrong?

    Thanks and best regards.


  • Netgate Administrator

    @mmerlone:

    finally created a respective firewall rule on the wan interface allowing traffic from wan to 10.0.0.215 on port 80.

    This sounds potentially incorrect. The firewall rule should allow traffic from source 'any' not from WAN.
    To resolve this as quickly as possible please post screen shots of your port forward rule and linked firewall rule.

    Steve

    Edit: Ah, I forgot to say: where are you testing this from? You can't test port forwards from the LAN side.



  • @stephenw10:

    This sounds potentially incorrect. The firewall rule should allow traffic from source 'any' not from WAN.

    I meant 'wan' tab, sorry.

    @stephenw10:

    To resolve this as quickly as possible please post screen shots of your port forward rule and linked firewall rule.

    There is no port forward rule, as per the docs, a 1:1 NAT would dismiss the need of a port forward, since it forwards ALL ports. Screenshots below.
    Translation: GVT5FIBRA => WAN









  • Netgate Administrator

    @mmerlone:

    There is no port forward rule, as per the docs, a 1:1 NAT would dismiss the need of a port forward, since it forwards ALL ports.

    Indeed, my poor phrasing.  ::)

    That all looks good. You didn't say where you are testing from though. It won't work from LAN unless you have enabled NAT reflection and even then it's not a good test.
    http://doc.pfsense.org/index.php/Why_can't_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks%3F

    Steve



  • @stephenw10:

    That all looks good. You didn't say where you are testing from though. It won't work from LAN unless you have enabled NAT reflection and even then it's not a good test.
    http://doc.pfsense.org/index.php/Why_can't_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks%3F

    I enabled NAT reflection so I could try from the inside, but also tested on my phone using data connection - not wi-fi - and … and ... at first (and second) it did not work, now it is working. Wtf?!
    So, now it works from outside, but NAT reflection is not working, still opening pfsense login page. NAT reflection is something I can live without, no big deal.

    Thanks for your time.


  • Netgate Administrator

    Hmm well it looks like NAT reflection should work with 1:1 NAT in 2.0.1.
    With significant config changes you often have to clear the state table to remove anything generated by the previous config.
    Diagnostics: States: Rest States

    Steve



  • Dear Steve,

    This same issue i was also facing in my wan network.
    According to your solution by enabling Nat Reflection. i won't get pfsense admin login page again but my web respective page was not shown.
    but by checking the below option. I am able to view my require web pages.

    "Automatically create outbound NAT rules which assist inbound NAT rules that direct traffic back out to the same subnet it originated from"

    Thanks a lot for your solution.


Locked