Can't get multi-network NAT port forwarding to work

  • I have a small network behind a pfSense (2.0) box, installed on a VMWare ESXi 5.5 host. Up until yesterday I had only one internal network,, and everything worked quite nice. Now, however, I want to introduce another net,, which will be used for services exposed to the internet. I've set up an additional interface (called OPT1DMZ), and a server on this net. I have also added a NAT rule to forward ssh (port 22) on the WAN interface to the server I set up.

    Sadly, this was not enough to just work. If I try to ssh to my external address, I get a timeout. I've run tcpdump on both the OPT1DMZ interface on the pfSense box, and the interface on the server. I can see that traffic arrives properly to the server, but I don't see the server responding with any outbound traffic.

    Initially I thought I was missing some firewall rule to allow outbound from OPT1DMZ, but that doesn't seem to matter - I even added a pass-all-to-everywhere rule with logging turned on, but it doesn't turn up anything in the logs.

    I'm uncertain where to continue looking. If I try to do pings to anything not on the 172.16.10-net I just get 100% package loss (ie, not Destination not reachable). My routing table on the server looks like this:

    # route -n
    Kernel IP routing table
    Destination     Gateway         Genmask         Flags Metric Ref    Use Iface         UG    2      0        0 enp2s0         UG    3      0        0 enp2s1       UG    0      0        0 lo   U     0      0        0 enp2s1   U     2      0        0 enp2s0

    That is, enp2s0 is connected to the "first" net as well, for administrative access. Can that be the issue?

  • Update, I did an ifconfig enp2s0 down, and now it is possible to set up an ssh connection. My guess is that it is due to the enp2s0 interface having a lower metric for, it will try to send the reply that way. Is this correct? What can I do to remedy this?

Log in to reply