Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    New to pfsense

    Scheduled Pinned Locked Moved General pfSense Questions
    26 Posts 5 Posters 6.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      tbarlow
      last edited by

      Hi

      I am New to pfsense and so far I really like it but I do have a small little prob and I hope someone can help me out with it and if this is the worng area for this ? please let me know and Ill move it to the right area anyway here is my prob I have 5 static IP address and as far as that goes it seems to be working ok I have all my port forwarders setup under NAT and got them going to all the right places well it seems to be anyway witch is where the prob some in I run a TeamSpeak server for example  on one of my IP's say its on a Domain (IP) and port as fellow
      mydomain.com or mydomain:9987
      my main TS server will work eather way with or with out the Port but the sec one is
      mydomain.com:2409

      anyway the prob is when some one comes in from the out side  to mydomain.com:9987 they come in with no prob works fine but if I try from internal (local) with the same address mydomain.com or mydomain.com:9987 or even with the outside IP address it Fails but if I use the internal IP (local IP) it will let me in with no prob and it didn't do this until I changed to pfsense so what do I have setup worng ? how can I fix this so I can access my internal stuff like I use toI hope this is clear and I hope U guys understand what I am trying to do thanks

      Sincerely
      tbarlow

      1 Reply Last reply Reply Quote 0
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by

        You probably need to enable NAT reflection. See:
        http://doc.pfsense.org/index.php/Why_can%27t_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks%3F

        Steve

        1 Reply Last reply Reply Quote 0
        • T
          tbarlow
          last edited by

          Ok ill try that Im now using the 1:1 tab im using the Firewall: NAT: Port Forward  tab but ill check it out thanks

          tbarlow

          1 Reply Last reply Reply Quote 0
          • T
            tbarlow
            last edited by

            I did option 1 and it still don't work so ill keep working on it thx for the info

            tbarlow

            1 Reply Last reply Reply Quote 0
            • T
              tim.mcmanus
              last edited by

              If you have an internal DNS server you can map the DNS name to the local IP there.  I use an internal DNS server and create internal IP addresses for external DNS names.  For example, if I have a host the is blah.example.com and it maps to 100.234.123.1 as a public IP, I'll create an internal address for the same domain name to 10.0.1.2 if that's where it exists on my LAN.  So internally blah.example.com maps to 10.0.1.2 via my internal DNS.

              NAT reflection is a great thing, but I prefer to map internal IPs with an internal DNS server.

              1 Reply Last reply Reply Quote 0
              • T
                tbarlow
                last edited by

                ok well the weird thing is the prob seems more with ports not the domain's or IP I can't even access my main IP internal or ports and its only some ports like port 80 port 25 port 110 they seem to work but porsts like say 9987 or 2409 they don't internal and if I try to say access my TS server with the out side IP it don't work but if I use the inside ip it does its really weird :(

                tbarlow

                1 Reply Last reply Reply Quote 0
                • stephenw10S
                  stephenw10 Netgate Administrator
                  last edited by

                  Firstly try resetting the firewall states. Diagniostics: States: Reset: or rebooting the box. You may have some remaining states that are by passing reflection.

                  Try option 2, split DNS, which is what tim is suggesting.

                  Are the port forwards changing the ports? Is the TS server responding on port 9987 internally and externally?

                  @tbarlow:

                  if I try to say access my TS server with the out side IP it don't work but if I use the inside ip it does its really weird :(

                  This is exactly what I would expect to happen when NAT reflection is not enabled. You try to open a connection from an internal machine to your WAN address. The WAN address is not on you local subnet so the machine sends it to its gateway, the pfSense box. The pfSense box sees the destination is the WAN address and routes it accordingly to the WAN interface. It cannot then route it back as well. With NAT reflection enabled pfSense checks its port forwards to see if your connection matches and the routes it accordingly to the correct internal machine instead of the WAN address.

                  Steve

                  1 Reply Last reply Reply Quote 0
                  • T
                    tbarlow
                    last edited by

                    @stephenw10:

                    Firstly try resetting the firewall states. Diagniostics: States: Reset: or rebooting the box. You may have some remaining states that are by passing reflection.

                    Try option 2, split DNS, which is what tim is suggesting.

                    Are the port forwards changing the ports? Is the TS server responding on port 9987 internally and externally?

                    @tbarlow:

                    if I try to say access my TS server with the out side IP it don't work but if I use the inside ip it does its really weird :(

                    This is exactly what I would expect to happen when NAT reflection is not enabled. You try to open a connection from an internal machine to your WAN address. The WAN address is not on you local subnet so the machine sends it to its gateway, the pfSense box. The pfSense box sees the destination is the WAN address and routes it accordingly to the WAN interface. It cannot then route it back as well. With NAT reflection enabled pfSense checks its port forwards to see if your connection matches and the routes it accordingly to the correct internal machine instead of the WAN address.

                    Steve

                    Hi Steve

                    The info below is unchecked so it is NAT Reflection  is enabled I thought that as well :(  but I will try what else U said and reset my firewall status and I have rebooted my router meany times

                    Disable NAT Reflection for port forwards  Disables the automatic creation of additional NAT redirect rules for access to port forwards on your external IP addresses from within your internal networks. Note: Reflection for port forward entries is skipped for ranges larger than 500 ports.

                    Sincerely
                    tbarlow

                    1 Reply Last reply Reply Quote 0
                    • T
                      tbarlow
                      last edited by

                      @stephenw10:

                      Firstly try resetting the firewall states. Diagniostics: States: Reset: or rebooting the box. You may have some remaining states that are by passing reflection.

                      Try option 2, split DNS, which is what tim is suggesting.

                      Are the port forwards changing the ports? Is the TS server responding on port 9987 internally and externally?

                      @tbarlow:

                      if I try to say access my TS server with the out side IP it don't work but if I use the inside ip it does its really weird :(

                      This is exactly what I would expect to happen when NAT reflection is not enabled. You try to open a connection from an internal machine to your WAN address. The WAN address is not on you local subnet so the machine sends it to its gateway, the pfSense box. The pfSense box sees the destination is the WAN address and routes it accordingly to the WAN interface. It cannot then route it back as well. With NAT reflection enabled pfSense checks its port forwards to see if your connection matches and the routes it accordingly to the correct internal machine instead of the WAN address.

                      Steve

                      Hi Steve Still no go I tried what U said but its still not working these ports just don't want to work what else can I try?

                      tbarlow

                      1 Reply Last reply Reply Quote 0
                      • stephenw10S
                        stephenw10 Netgate Administrator
                        last edited by

                        Try option2: split DNS.

                        If you're using the pfSense dns forwarder, you will be unless you've deliberately chosen not to, go to Services: DNS Forwarder:
                        Add a domain override for example mydomain.com to point at your internal server.

                        Steve

                        1 Reply Last reply Reply Quote 0
                        • W
                          wallabybob
                          last edited by

                          @tbarlow:

                          Still no go I tried what U said but its still not working these ports just don't want to work what else can I try?

                          Does the server need to be configured to allow connections from the Internet?

                          1 Reply Last reply Reply Quote 0
                          • M
                            meluvalli
                            last edited by

                            I have noticed the same issues…

                            Here is what I have...

                            I have a server with a program that ONLY works with IP addresses (Can't use DNS).  The program is setup to point to one of my outside IP addresss.  It works from outside the network, but if I am internal, it doesn't work.

                            I have "Disable NAT Reflection for port forwards" unchecked as per the document.  Internal DNS won't help my situation because it requires access by IP Address (not DNS).  It appears that "Disable NAT Reflection for port forwards" unchecked fixes all my HTTP, HTTPS, POP3, SMTP, and DNS issues internally, but doesn't fix the issue on odd ports like 9987 used in this example.

                            To re-produce the problem, you can setup either a Telnet, FTP, or HTTP on port 9987 internally and try to access it with your internal IP and it won't work.  Firewall logs show nothing coming in that is being blocked.  So, I am looking for a temporary workaround that I could use to resolve this.

                            Does anyone have any suggestions?

                            Thanks!

                            1 Reply Last reply Reply Quote 0
                            • T
                              tbarlow
                              last edited by

                              @meluvalli:

                              I have noticed the same issues…

                              Here is what I have...

                              I have a server with a program that ONLY works with IP addresses (Can't use DNS).   The program is setup to point to one of my outside IP addresss.   It works from outside the network, but if I am internal, it doesn't work.

                              I have "Disable NAT Reflection for port forwards" unchecked as per the document.  Internal DNS won't help my situation because it requires access by IP Address (not DNS).   It appears that "Disable NAT Reflection for port forwards" unchecked fixes all my HTTP, HTTPS, POP3, SMTP, and DNS issues internally, but doesn't fix the issue on odd ports like 9987 used in this example.

                              To re-produce the problem, you can setup either a Telnet, FTP, or HTTP on port 9987 internally and try to access it with your internal IP and it won't work.  Firewall logs show nothing coming in that is being blocked.   So, I am looking for a temporary workaround that I could use to resolve this.

                              Does anyone have any suggestions?

                              Thanks!

                              Same Prob here:)

                              1 Reply Last reply Reply Quote 0
                              • T
                                tim.mcmanus
                                last edited by

                                Please post screen shots if your Firewall rules.

                                Have you tried connecting to the internal machine with its internal IP address?  If you can access your resources internally with their IP addresses, don't beat yourself up if NAT Reflection isn't working properly.  I run internal DNS and don't use NAT Reflection because some of the systems I use and how I use them work more efficiently with internal DNS.

                                1 Reply Last reply Reply Quote 0
                                • M
                                  meluvalli
                                  last edited by

                                  Hi Tim.

                                  Unfortunately, using DNS will not work.  Once again, the program is hard coded in as an IP address.  I can't change this.  So, I need to figure out why just higher ports don't work with NAT reflection.  NAT reflection works great for lower ports such as HTTP (80), HTTPS (443), SMTP (25), POP3 (110), and FTP (21).  Just isn't working for higher ports.  This isn't a firewall issue.  This is a NAT Reflection glitch.  My question is, is there a way around this?

                                  Thanks

                                  1 Reply Last reply Reply Quote 0
                                  • stephenw10S
                                    stephenw10 Netgate Administrator
                                    last edited by

                                    @meluvalli:

                                    To re-produce the problem, you can setup either a Telnet, FTP, or HTTP on port 9987 internally and try to access it with your internal IP and it won't work.

                                    I think you must have left something out here because I am absolutely confident that if I setup up a web server on my internal network that runs on port 9987 and then tried to access it directly from the same network at http://192.168.1.34:9987 it would work.

                                    Presumably it's the client half of your program that can only use IPs directly?

                                    One thing that occurs to me is that the server program itself may be configured to always use an external gateway of some sort such that it is unable to route back to internal address.

                                    Steve

                                    1 Reply Last reply Reply Quote 0
                                    • M
                                      meluvalli
                                      last edited by

                                      Hi Steve..   Sorry, maybe I didn't make it real clear.  I am using my external address to access it.  So, with your same test, lets say your external IP address is 60.54.1.23…   From internal on another client, you would want to access http://60.54.1.23:9987 and it will fail.

                                      Also note, that it works fine if you are outside your internal network.  This is why I am thinking it is not a firewall issue as it works from outside the network!

                                      Thank you.

                                      1 Reply Last reply Reply Quote 0
                                      • T
                                        tim.mcmanus
                                        last edited by

                                        Forgive me for not completely understanding, but you have a server that lives on your internal network with a local (internal) IP address.  And you have clients that access that server with a hard-coded IP address and port using an external IP address.  And you cannot change the IP address of these clients or any other networking information?  Seems odd that in this day and age people would set something up like that, but that's IMHO.

                                        If you want to host a Teamspeak server internally and make it accessible from internal and external IP addresses, I can help you with that.  I've done that countless times, and I authored the "How To" post in the forums for Mac users.

                                        1 Reply Last reply Reply Quote 0
                                        • stephenw10S
                                          stephenw10 Netgate Administrator
                                          last edited by

                                          Ah, OK.
                                          I agree with Tim that not being able to use a URL instead of an IP seems quite archaic.  ;)
                                          You could setup a manual port forward for that on the LAN interface. I don't know why NAT reflection wouldn't take care of that for you though. You can specifically disable it for each port forward, I assume you haven't done that?

                                          Steve

                                          internal_redirection_test.jpg
                                          internal_redirection_test.jpg_thumb

                                          1 Reply Last reply Reply Quote 0
                                          • M
                                            meluvalli
                                            last edited by

                                            @stephenw10:

                                            Ah, OK.
                                            I agree with Tim that not being able to use a URL instead of an IP seems quite archaic.  ;)
                                            You could setup a manual port forward for that on the LAN interface. I don't know why NAT reflection wouldn't take care of that for you though. You can specifically disable it for each port forward, I assume you haven't done that?

                                            Steve

                                            No.  I haven't done that.

                                            As far as creating a forward on the LAN side, I have tried putting in the NAT Port Forward rule as you show in your example.  This also didn't solve the problem :(   I even tried setting "NAT Reflection" in the rule to "enable" and still nothing :(  Any other recommendations?  By looking at that, it really seems like it would work :(…

                                            Thanks for all your help!

                                            Example.png
                                            Example.png_thumb

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.