1:1 NAT not allowing incomming connections
I have a pfsense setup with a WAN, LAN and DMZ.
The WAN has many public IP's. So I setup 5 to do 1 to 1 nat to the DMZ and it works as far as outbound/nat as if I go to whatismyip.com from a pc in the dmz it shows the correct ip, however inbound does not seem to be open?
I set a rule to allow all traffic from WAN to Public IP assigned to the DMZ yet if I do a port scan or something they show as closed.
I want any traffic sent to these 5 IP's that go to the DMZ to be allowed. The DMZ will have its own firewall put in place that the user will control what he wants open or not but I cant get it to allow things inbound to him even with my rule setup.
What am I doing wrong? I got it set Source any on the WAN interface, destination Public IP assigned to first ip on DMZ that is set in 1 to 1 and I would think that should allow anything to go to the device but no…
dotdash last edited by
You need to use the private address of the device, not the public IP it is 1-1 translated to.
I have a rule also set for WAN interface, source any - destination DMZ Subnet so that should cover the local ones, but its still no go.
Sounds like your NAT configuration is definitely fine.
First, enable logging on your WAN pass rules. Then try to access those servers from a host on the Internet (it won't work from inside your network).
Then check your firewall logs.
Thats the odd part, nothing shows in the loggs… So I assume it passes it and the log does not show passes?
Also, no dropps or errors on any interfaces...
Any other suggestions? I am about to reload the box because after I updated it yesterday to the latest snapshot it has started doing random reboots/crashes but if still does not work I dont know what else to do. I need this very bad. :(
If you have logging enabled for the rule, and nothing is being logged, then the rule isn't being hit.
You know what, I am an stupid. I just remembered I did not tell the spacific rule itself to log, I just had logs in general on… Dohh... Anyway I am in the process of rebuilding it now due to crashing for some odd reason after the 11/6 snapshot was put on.
When I am done I will remake the rules and what not from scratch and maybe it will work now, I dont know... :)
If not I will post back with my findings as I only have one more day to get this thing working. :(
If anyone else can think of anything please let me know,
But am I correct in assuming that making the rules like I did it should just pass all traffic going to the 5 public IPs to the 5 local on the DMZ and it will be upto the hosts/devices to firewall? That is what I am after. I know I can do individual ports but I just want EVERYTHING allowed on these 5...
UPDATE Guess I am dead right now... The 11/6 snapshot is broke it seems or at least for me... Posted my problem in install/upgrades... I keep getting random reboots. So cant finish playing with this until that system stays up. :)