Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Port forwarding with NAT 1:1

    Scheduled Pinned Locked Moved NAT
    11 Posts 4 Posters 5.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      hinzinho
      last edited by

      Hi all,

      I need some help with configuring my 1:1 NAT on the pfSense router.  I have Comcast internet with 5 static ip addresses.  Port forwarding on the main ip is working correctly.  However, when I set up 1:1 on my secondary ip address, I am not able to do any port forwarding to that 2nd ip address.

      For example, I have the following ip addresses from Comcast:

      74.95.22.10 –> main ip used by the pfSense router.  Will have a web server
      74.95.22.11 --> I would like to use this for another web server
      74.95.22.12 --> Use this for another server

      NAT Reflection mode for port forwards is enabled (Pure NAT)
      Enable NAT Reflection for 1:1 NAT is checked
      Enable automatic outbound NAT for Reflection is checked

      Under Firewall: NAT: Port Forward, I created a HTTPS for the main ip (74.95.22.10).  This automatically creates a firewall rule under my WAN connection.  Everything works as expected.  I am able to access my web server from the internet.

      Under Firewall: NAT: 1:1, I create another HTTPS entry for the secondary ip (74.95.22.11).  However this does not create a firewall rule under my WAN connection.  I am NOT able to access my 2nd web server on (74.95.22.11) from the internet.  What is more strange is after I created this 1:1 NAT, I am no longer able to access the 1st web server on (74.95.22.10) until I delete this 1:1 NAT.  Even when I manually put in the firewall rules, it still does not work.

      This is my pfSense version.
      2.1.5-RELEASE (amd64)
      built on Wed Aug 27 15:14:26 EDT 2014
      FreeBSD 8.3-RELEASE-p16

      Please tell me what I am doing wrong.

      Thanks!

      1 Reply Last reply Reply Quote 0
      • KOMK
        KOM
        last edited by

        I don't see where you are adding your public IP address as virtual IPs in pfSense (Firewall - Virtual IP).  You do that first, then you create your port forward.

        1 Reply Last reply Reply Quote 0
        • H
          hinzinho
          last edited by

          Thanks for the reply.

          Under Firewall: Virtual IP Addresses, I have my 5 ip addresses listed with type  "IfAlias".

          Maybe I am doing the 1:1 NAT wrong?

          If I create a 1:1, under External subnet IP, I would type in 74.95.22.11.  If I try to type in 74.95.22.11/32 (as a subnet), I would get the error message: A valid external subnet must be specified.

          1 Reply Last reply Reply Quote 0
          • KOMK
            KOM
            last edited by

            I have a 1:1 mapping.  I just specified the External IP subnet to be a WAN address handled by IP Alias without any CIDR suffix, and the Internal is Single host with the LAN IP of the server.

            1 Reply Last reply Reply Quote 0
            • DerelictD
              Derelict LAYER 8 Netgate
              last edited by

              @hinzinho:

              Under Firewall: NAT: Port Forward, I created a HTTPS for the main ip (74.95.22.10).  This automatically creates a firewall rule under my WAN connection.  Everything works as expected.  I am able to access my web server from the internet.

              Under Firewall: NAT: 1:1, I create another HTTPS entry for the secondary ip (74.95.22.11).  However this does not create a firewall rule under my WAN connection.  I am NOT able to access my 2nd web server on (74.95.22.11) from the internet.  What is more strange is after I created this 1:1 NAT, I am no longer able to access the 1st web server on (74.95.22.10) until I delete this 1:1 NAT.  Even when I manually put in the firewall rules, it still does not work.

              I don't think 1:1 can automatically put tracking firewall rules on WAN for you so you'll have to do that yourself.

              Why not just use port forwards?  Why 1:1?

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • H
                hinzinho
                last edited by

                @Derelict:

                Why not just use port forwards?  Why 1:1?

                I need to run multiple web servers.  With port forwarding, I can only forward TCP 443 to one ip.

                1 Reply Last reply Reply Quote 0
                • C
                  cmb
                  last edited by

                  @hinzinho:

                  I need to run multiple web servers.  With port forwarding, I can only forward TCP 443 to one ip.

                  And you can only forward a given public IP to one internal IP with 1:1 NAT. That does nothing to change your problem, from a networking perspective it's impossible to forward the same port to > 1 internal machine. You need a reverse proxy, or multiple public IPs, not 1:1 NAT.

                  1 Reply Last reply Reply Quote 0
                  • H
                    hinzinho
                    last edited by

                    @cmb:

                    You need a reverse proxy, or multiple public IPs, not 1:1 NAT.

                    Maybe I am looking in the wrong place with pfSense.  I am very new to pfSense and am still working my way around it.

                    I do have multiple public ip addresses.  I got 5.  I do need some of my servers to go out with those public ip addresses and not appears as the traffics are coming from my main ip (which is on the pfSense).

                    1 Reply Last reply Reply Quote 0
                    • DerelictD
                      Derelict LAYER 8 Netgate
                      last edited by

                      @hinzinho:

                      @cmb:

                      You need a reverse proxy, or multiple public IPs, not 1:1 NAT.

                      I do have multiple public ip addresses.  I got 5.  I do need some of my servers to go out with those public ip addresses and not appears as the traffics are coming from my main ip (which is on the pfSense).

                      That's easily done with policy routing in pfSense and is completely unrelated to your inbound NAT issue.

                      Chattanooga, Tennessee, USA
                      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                      1 Reply Last reply Reply Quote 0
                      • C
                        cmb
                        last edited by

                        Use Outbound NAT in that case if you don't want to use 1:1. Policy routing is for multi-WAN, that's not relevant here as it sounds like you have one Internet connection only.

                        1 Reply Last reply Reply Quote 0
                        • H
                          hinzinho
                          last edited by

                          I do have multi-WAN but mainly use it as a failover for internet surfing.

                          Thanks for all the replies!  I will have to give it another try and look into the areas that you all pointed out.

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.