Port Forwarding with an IP subnet incorrectly translates incoming connection?



  • Pretty new to pfSense and have just come across an issue that I believe is a bug.

    I have setup pfSense with a /29 subnet of IP addresses (under Firewall > Virtual IPs), for NAT Outbound translation I have 2 rules for 2 connected devices that have the subnet pool of addresses set as the NAT address, this correctly assigns the outbound IPs to their respective external IP from the pool.

    When I try to setup 2 port forward rules (see below) with the Destination set as the subnet pool and the NAT IP set respectively, pfSense is routing an external connection to the wrong machine.

    Outbound and 1:1 rules
    192.xxx.xxx.xx6 -> 85.xxx.xxx.xx5
    192.xxx.xxx.xx7 -> 85.xxx.xxx.xx6

    Port Forward rules
    WAN TCP * * 85.xxx.xxx.xx5 (subnet pool) 80 (HTTP) 192.xxx.xxx.xx6 80 (HTTP)
    WAN TCP 81.98.65.xxx (my IP) * 85.xxx.xxx.xx5 (subnet pool) 80 (HTTP) 192.xxx.xxx.xx7 80 (HTTP)

    I now go to a hostname that's configured to point to 85.xxx.xxx.xx5 in a browser but it seems my request is being served by the machine on 85.xxx.xxx.xx6 but is showing as from 85.xxx.xxx.xx5 surely that's not right when the rule for my IP as the source should be converting its internal IP to the correct 1:1 like the Outbound rule has done?


  • Rebel Alliance Developer Netgate

    Just use one IP in the destination, not the entire subnet.



  • I was going to do that through specifying the host but how come the port forwarding rules don't use the same translation when you select the pool just like Outbound rules do correctly?



  • It's still doing the same even with the destination specified on the rules… I'm thinking that I'm going to have to add the external IPs one by one as virtual IPs rather than as a subnet and see what happens...



  • You have to add VIPs one by one, unless you're adding a proxy ARP range (which generally isn't the best option, since you generally have something else on the subnet like the ISP router that you can't answer ARP on).


Log in to reply