Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    1:1 NAT not going to correct server

    Scheduled Pinned Locked Moved NAT
    10 Posts 3 Posters 1.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      kcallis
      last edited by

      I have learned to correctly setup a VIP and get 1:1 somewhat working. I have a Camera NVR and several cameras installed that I want to access remotely. I placed the NVR and cameras on my DMZ interface, then created a VIP and 1:1 pointing to my NVR (192.168.1.50). When I connect to my external address, I end up at 192.168.1.53 (one of the cameras). I have double check all my entries on pfsense, and the entries pointing to NVR are correct. Does anyone one have a thought as to why I can't get to the correct host?

      1 Reply Last reply Reply Quote 0
      • KOMK
        KOM
        last edited by

        Post screens of your WAN/LAN firewall & NAT rules.  It's impossible to say otherwise.  Is this NVR some type of media hub and is acting as a passthrough for the camera?

        1 Reply Last reply Reply Quote 0
        • K
          kcallis
          last edited by

          The NVR act as controller for all of the cameras. Although each camera (192.168.1.[51-58]) is running embedded Linux and a webserver which can be individually addressed, in order to see all camera, one has to log into the NVR (192.168.1.50). The 192.168.1.0 subnet is my DMZ, and I have created a 1:1 NAT between one of my external IP addresses (66.231.217.131/24) and 192.168.1.1 with a end target of 192.168.1.50.

          Initially, when I was connect to the external IP address, I would end up connecting to one of the IP cameras (192.168.1.53) as opposed to the NVR (192.168.1.50). I have been playing the various configuration changes on the pfsense box, and now when I attempt to gain access from the remote IP address, although a tab on the browser states IP Camera, nothing shows on the screen. No camera pictures, no control tabs, and the screen is completely blank.

          Although someone previously made a suggestion that I should do a port forward, I have dismissed that since there are numerous ports that the NVR wants to access and it was easier to just open the server up and place it on the DMZ.

          ![WAN Rules.png](/public/imported_attachments/1/WAN Rules.png)
          ![WAN Rules.png_thumb](/public/imported_attachments/1/WAN Rules.png_thumb)
          ![DMZ Rules.png](/public/imported_attachments/1/DMZ Rules.png)
          ![DMZ Rules.png_thumb](/public/imported_attachments/1/DMZ Rules.png_thumb)
          ![1:1 NAT.png](/public/imported_attachments/1/1:1 NAT.png)
          ![1:1 NAT.png_thumb](/public/imported_attachments/1/1:1 NAT.png_thumb)

          1 Reply Last reply Reply Quote 0
          • KOMK
            KOM
            last edited by

            In your 1:1 rule, try changing the Internal IP to 192.168.1.50 and the Destination IP to Any.

            1 Reply Last reply Reply Quote 0
            • K
              kcallis
              last edited by

              Made the change and still no go. The browser tag shows HD Cam Client, but the page is completely blank. The only excitement today is that suddenly after posting the above detailed message, I was getting port 22 hits. I need to figure this one soon because I was called to the principal office to day.

              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by

                I think your DMZ rule allowing WAN net to access 192.168.1.50 need to be on WAN instead.

                permit any dest 192.168.1.50 any

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • DerelictD
                  Derelict LAYER 8 Netgate
                  last edited by

                  Also I think you want 192.168.1.50 as the Internal IP and any in the destination.

                  Chattanooga, Tennessee, USA
                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                  1 Reply Last reply Reply Quote 0
                  • KOMK
                    KOM
                    last edited by

                    This NVR is just a web server right?  You view it in your browser?  I would get rid of the 1:1 NAT and just do a port forward from WAN address to port 80 on the NVR.  The ports the NVR needs are between it and the cameras on the same net segment?

                    1 Reply Last reply Reply Quote 0
                    • K
                      kcallis
                      last edited by

                      I have just did a port forward and still getting the same thing. I am able to see a tab on the browser that says hd client, but still no image or control images. I know that when I began with the setup, I was able to at least get to the NVR control. When I started making changes with 1:1 (and yes I initially started with port forwarding). Now with the exception of seeing the name on the tab, I can see nothing. I am have tried this on both the 1:1 as well as the the forwarded port.

                      1 Reply Last reply Reply Quote 0
                      • DerelictD
                        Derelict LAYER 8 Netgate
                        last edited by

                        Post images of your current firewall and NAT rules.  Don't change anything.

                        Chattanooga, Tennessee, USA
                        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                        Do Not Chat For Help! NO_WAN_EGRESS(TM)

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.