• Hi,

    Been searching the net for hours trying to get this sorted, first time using pfSense.

    We have an esxi installation with a router vm that has pfSense installed on it, we then have several vms that connect to the pfSense LAN. We have a /29 subnet allocated to us through the IP address pfSense is running through WAN.

    I've created the virtual IP subnet 85.10.250.xxx/29 and added a NAT 1:1 for one of those virtual IPs to an internal IP of which is our development machine (I've setup a reservation for this address that works correctly) however, I'm unable to access the internet from this development machine.

    What we want to do is allocate each of our public IPs that are routed through our pfSense vm to each of our LAN IPs so that they have both incoming and outgoing connections on an external IP.


  • Problem seems to be sorted after adding an outbound rule into the NAT and rebooting the devel vm.

  • Hmm, although I'm now able to access the outside world from this vm with it's allocated WAN IP address I'm unable to ssh into this box, I've added a firewall pass rule for my ip address with the destination set as the vm's wan IP.

    What's weird is that I tried ssh'ing via the pfSense shell and this just created another ssh to pfSense?! I'm guessing something isn't being forwarded quite right but not sure what?

  • Netgate Administrator

    Incoming packets on WAN hit the port forwarder before the firewall, in logical terms. So your firewall rule for a forwarded ssh session should have as the destination the internal IP of the vm.


  • Hi Stephen,

    I was under the impression that if I add a port forward rule for SSH and route it to the development vm, I will no longer be able to SSH into any of the other vms? If that's the case that isn't what I want. I want to be able to SSH into any vm that's attached to pfSense by using that vms external IP.

    Is this possible?


  • Netgate Administrator

    Normally this is handled by the 1:1 NAT setup which just port forwards all ports incoming. Like that however you can set the port forward to catch only packets with the destination IP of whichever address you're using for the external IP correlating to the VM. You can have port forwards for each external IP all for SSH.
    How are you testing this? If this is a firewall rules problems (normally the 1:1 NAT setting handles that for you) then you will see the traffic being blocked in the firewall logs.
    Are you trying to test this from a machine on the pfSense LAN side? If so then see this:


  • I've created a port forwarding rule from any source to the destination of the development vms external IP that redirects to the internal NAT IP of the dev vm on the SSH port and it doesn't seem to work

    And I'm testing my my machine which isn't on the same network, I will check the firewall logs and see if they contain anything

  • Ahh nevermind, I'd forgotten to set the source port to 'any' (just woken up!) I'm now getting SSH into the dev vm but the question is, why doesn't the nat 1:1 mapping do this automatically? Why do I need to add a port forward for a nat 1:1 when I've added a pass rule?

  • Netgate Administrator

    Good question. You shouldn't need a port forward rule, the 1:1NAT should be forwarding the port anyway. Did you try it before you added a rule?
    Do the logs show anything? If it's not a firewall issue it could be a asymmetric routing problem, perhaps your ssh client is not happy that returning packets are arriving from a different address (if they are).


  • The firewall was rejecting the packets until I forwarded the packet using a forward rule even though I already had a firewall pass rule and a nat 1:1.

  • @Rewt0r:

    The firewall was rejecting the packets until I forwarded the packet using a forward rule even though I already had a firewall pass rule and a nat 1:1.

    Then your firewall rule was wrong, NAT applies first, private destination is probably what you missed.