Cannot access NAT'd services

  • I upgraded to 2.1.1. I'm trying to create an inbound NAT rule, and nobody can connect. I must be forgetting something simple about NAT. But for the life of me i can't see what i'm missing.

    For example, i want to to able to access POP3 (port 110) from the outside.

    Click Firewall -> NAT

    Click the + to create a new port forward:

    Create the port forward:

    • Interface: WAN

    • Protocol: TCP

    • Destination Port Range: POP3 (110)

    • Redirect target IP: (the internal mail server)

    • Redirect target port: POP3 (110)

    • Description: POP3 to Stalwart

    • Click Save

    Now we use to verify that the NAT isn't working:

    Now we check the firewall rule. Click Firewall -> Rules:

    And click the e to edit the rule. Check the option Log packets that are handled by this rule, and click Save:

    Next re-run the check of port 110. Then check that the test packet arrived, and was allowed, by visiting Status -> System Logs -> Firewall, and search for destination port 110:

    Next confirm that pfSense can ping the internal mail server. Go to Diagnostics -> Ping:

    Then confirm that pfSense can connect to port 110 on Go to Diagnostics -> Test port:

    Next confirm that i can connect to the mail server from my desktop:

    telnet 110

    +OK Welcome to Indy POP3 Server

    The NAT rule is in place. The firewall rule is in place. The firewall allow rule is triggered. On the mail server i can see a connection internally from (my desktop) and (pfSense). But nobody from the outside can connect.

    What am i missing in the NAT setup?

    Bonus Chatter

    This post comes after wiping all the rules and starting over; and reinstalling pfSense and starting over; and it reproducible, since i was able to take the 30 minutes to create this post, with screenshots and highlighting. Now that i'm an hour late for work, i will update the post later today to add more formatting (bold and italics).

    I've also tried forwarding other ports to other machines (e.g. 3389 to my desktop). I just can't make NAT work.

  • WAN gateway (default GW)?
    Outbound NAT?

  • @viragomann:

    WAN gateway (default GW)?

    The WAN is the gateway; it talks over PPPoE to my provider.

    Outbound NAT?

    This would be for inbound NATing; "port forwarding".

  • This would be for inbound NATing; "port forwarding".

    Anyway the firewall has to translate outbound traffic to your external address. However, this is done for the hole subnet automatically by default. I.e. other services on the internal subnet would be affected too.

    The POP server configuration is right to allow external connections.

    You may use a packet capture tool to verify the traffic.

  • I'm having the same issues. I upgraded this morning to 2.1.1 and none of my NAT services are working.

  • I have the same problem…I just installed the Pfsense 2.1.2 i386 and NAT don't works. Anyone help?

  • Banned


    I'm having the same issues.


    I have the same problem…

    This is an utterly useless "description" of a problem!

    As for the OP here, I cannot even see how's pfSense related, except if you produced some PEBKAC like setting up a gateway on a LAN interface in pfSense… Seems like the packets don't get routed back to WAN at all.

  • LAYER 8 Global Moderator

    And do you have a firewall on your pop3?  As mentioned does your pop3 box know to talk back to pfsense to for traffic from the internet?

    While your logging of the rule shows that pfsense forwarded it on..  Its better to do a simple sniff on the lan interface connected to your pop3 box so you can pfsense forward the traffic and your pop3 box answer back, etc.

  • Not sure if this is related, but sounds like it could be.

  • im having the same problem…. did u solve it?

  • I never reported back; but i was able to solve it by wiping pfSense and starting over, again, from scratch.

    Sometimes the pfSense configuration just gets itself into a state.

    Wiping the configuration and starting over has been the solution on four other occasions. Sometimes the UI must put the config files into an inconsistent state.

Log in to reply