1:1 NAT not allowing incomming connections



  • I have a pfsense setup with a WAN, LAN and DMZ.

    The WAN has many public IP's. So I setup 5 to do 1 to 1 nat to the DMZ and it works as far as outbound/nat as if I go to whatismyip.com from a pc in the dmz it shows the correct ip, however inbound does not seem to be open?

    I set a rule to allow all traffic from WAN to Public IP assigned to the DMZ yet if I do a port scan or something they show as closed.

    I want any traffic sent to these 5 IP's that go to the DMZ to be allowed. The DMZ will have its own firewall put in place that the user will control what he wants open or not but I cant get it to allow things inbound to him even with my rule setup.

    What am I doing wrong? I got it set Source any on the WAN interface, destination Public IP assigned to first ip on DMZ that is set in 1 to 1 and I would think that should allow anything to go to the device but no…



  • You need to use the private address of the device, not the public IP it is 1-1 translated to.



  • I have a rule also set for WAN interface, source any - destination DMZ Subnet so that should cover the local ones, but its still no go.



  • Sounds like your NAT configuration is definitely fine.

    First, enable logging on your WAN pass rules. Then try to access those servers from a host on the Internet (it won't work from inside your network).

    Then check your firewall logs.



  • Thats the odd part, nothing shows in the loggs… So I assume it passes it and the log does not show passes?

    Also, no dropps or errors on any interfaces...

    Any other suggestions? I am about to reload the box because after I updated it yesterday to the latest snapshot it has started doing random reboots/crashes but if still does not work I dont know what else to do. I need this very bad. :(



  • If you have logging enabled for the rule, and nothing is being logged, then the rule isn't being hit.



  • You know what, I am an stupid. I just remembered I did not tell the spacific rule itself to log, I just had logs in general on… Dohh... Anyway I am in the process of rebuilding it now due to crashing for some odd reason after the 11/6 snapshot was put on.

    When I am done I will remake the rules and what not from scratch and maybe it will work now, I dont know... :)

    If not I will post back with my findings as I only have one more day to get this thing working. :(

    If anyone else can think of anything please let me know,

    But am I correct in assuming that making the rules like I did it should just pass all traffic going to the 5 public IPs to the 5 local on the DMZ and it will be upto the hosts/devices to firewall? That is what I am after. I know I can do individual ports but I just want EVERYTHING allowed on these 5...

    UPDATE Guess I am dead right now... The 11/6 snapshot is broke it seems or at least for me... Posted my problem in install/upgrades... I keep getting random reboots. So cant finish playing with this until that system stays up. :)


Log in to reply