Port forwarding with NAT 1:1
-
Hi all,
I need some help with configuring my 1:1 NAT on the pfSense router. I have Comcast internet with 5 static ip addresses. Port forwarding on the main ip is working correctly. However, when I set up 1:1 on my secondary ip address, I am not able to do any port forwarding to that 2nd ip address.
For example, I have the following ip addresses from Comcast:
74.95.22.10 –> main ip used by the pfSense router. Will have a web server
74.95.22.11 --> I would like to use this for another web server
74.95.22.12 --> Use this for another serverNAT Reflection mode for port forwards is enabled (Pure NAT)
Enable NAT Reflection for 1:1 NAT is checked
Enable automatic outbound NAT for Reflection is checkedUnder Firewall: NAT: Port Forward, I created a HTTPS for the main ip (74.95.22.10). This automatically creates a firewall rule under my WAN connection. Everything works as expected. I am able to access my web server from the internet.
Under Firewall: NAT: 1:1, I create another HTTPS entry for the secondary ip (74.95.22.11). However this does not create a firewall rule under my WAN connection. I am NOT able to access my 2nd web server on (74.95.22.11) from the internet. What is more strange is after I created this 1:1 NAT, I am no longer able to access the 1st web server on (74.95.22.10) until I delete this 1:1 NAT. Even when I manually put in the firewall rules, it still does not work.
This is my pfSense version.
2.1.5-RELEASE (amd64)
built on Wed Aug 27 15:14:26 EDT 2014
FreeBSD 8.3-RELEASE-p16Please tell me what I am doing wrong.
Thanks!
-
I don't see where you are adding your public IP address as virtual IPs in pfSense (Firewall - Virtual IP). You do that first, then you create your port forward.
-
Thanks for the reply.
Under Firewall: Virtual IP Addresses, I have my 5 ip addresses listed with type "IfAlias".
Maybe I am doing the 1:1 NAT wrong?
If I create a 1:1, under External subnet IP, I would type in 74.95.22.11. If I try to type in 74.95.22.11/32 (as a subnet), I would get the error message: A valid external subnet must be specified.
-
I have a 1:1 mapping. I just specified the External IP subnet to be a WAN address handled by IP Alias without any CIDR suffix, and the Internal is Single host with the LAN IP of the server.
-
Under Firewall: NAT: Port Forward, I created a HTTPS for the main ip (74.95.22.10). This automatically creates a firewall rule under my WAN connection. Everything works as expected. I am able to access my web server from the internet.
Under Firewall: NAT: 1:1, I create another HTTPS entry for the secondary ip (74.95.22.11). However this does not create a firewall rule under my WAN connection. I am NOT able to access my 2nd web server on (74.95.22.11) from the internet. What is more strange is after I created this 1:1 NAT, I am no longer able to access the 1st web server on (74.95.22.10) until I delete this 1:1 NAT. Even when I manually put in the firewall rules, it still does not work.
I don't think 1:1 can automatically put tracking firewall rules on WAN for you so you'll have to do that yourself.
Why not just use port forwards? Why 1:1?
-
Why not just use port forwards? Why 1:1?
I need to run multiple web servers. With port forwarding, I can only forward TCP 443 to one ip.
-
I need to run multiple web servers. With port forwarding, I can only forward TCP 443 to one ip.
And you can only forward a given public IP to one internal IP with 1:1 NAT. That does nothing to change your problem, from a networking perspective it's impossible to forward the same port to > 1 internal machine. You need a reverse proxy, or multiple public IPs, not 1:1 NAT.
-
@cmb:
You need a reverse proxy, or multiple public IPs, not 1:1 NAT.
Maybe I am looking in the wrong place with pfSense. I am very new to pfSense and am still working my way around it.
I do have multiple public ip addresses. I got 5. I do need some of my servers to go out with those public ip addresses and not appears as the traffics are coming from my main ip (which is on the pfSense).
-
@cmb:
You need a reverse proxy, or multiple public IPs, not 1:1 NAT.
I do have multiple public ip addresses. I got 5. I do need some of my servers to go out with those public ip addresses and not appears as the traffics are coming from my main ip (which is on the pfSense).
That's easily done with policy routing in pfSense and is completely unrelated to your inbound NAT issue.
-
Use Outbound NAT in that case if you don't want to use 1:1. Policy routing is for multi-WAN, that's not relevant here as it sounds like you have one Internet connection only.
-
I do have multi-WAN but mainly use it as a failover for internet surfing.
Thanks for all the replies! I will have to give it another try and look into the areas that you all pointed out.