Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Private address showing up as destination

    Scheduled Pinned Locked Moved Firewalling
    9 Posts 4 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D Offline
      dbennett
      last edited by

      Hello,

      I'm noticing that my firewall log is sometimes showing my private LAN IP's as a destination when the request came from the WAN interface.  I'm using 1:1 NAT so I would expect to see the public IP associated to that internal IP.  Here is an example:

      May 7 14:00:49  WAN  Default deny rule IPv4 (1000000103)  199.188.67.167:56832  172.16.2.86:135    TCP:S

      What am I missing?

      Thanks ahead of time.

      1 Reply Last reply Reply Quote 0
      • DerelictD Offline
        Derelict LAYER 8 Netgate
        last edited by

        NAT happens before the firewall.  So the IP address is being translated then the firewall says port 135 is blocked.

        That's why you have to put the real IP address of the server in the pass rules, not the WAN address.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • D Offline
          dbennett
          last edited by

          Thanks for the response!

          Ok that totally makes sense.

          Thanks again.

          1 Reply Last reply Reply Quote 0
          • T Offline
            Trel
            last edited by

            @Derelict:

            NAT happens before the firewall.  So the IP address is being translated then the firewall says port 135 is blocked.

            That's why you have to put the real IP address of the server in the pass rules, not the WAN address.

            That line, exactly how you wrote it should be in an FAQ.

            1 Reply Last reply Reply Quote 0
            • johnpozJ Offline
              johnpoz LAYER 8 Global Moderator
              last edited by

              where exactly do you think it should go - the firewall processing order is already documented

              https://doc.pfsense.org/index.php/Firewall_Rule_Processing_Order
              More accurately, the following order (still simplified) is found in the ruleset (Check /tmp/rules.debug):

              Outbound NAT rules
                  Inbound NAT rules such as Port Forwards (including rdr pass and UPnP)
                  NAT rules for the Load Balancing daemon (relayd)
                  Rules dynamically received from RADIUS for OpenVPN and IPsec clients
                  Internal automatic rules (pass and block for various items like lockout, snort, DHCP, etc.)
                  User-defined rules:
                      Rules defined on the floating tab
                      Rules defined on interface group tabs (Including OpenVPN)
                      Rules defined on interface tabs (WAN, LAN, OPTx, etc)
                  Automatic VPN rules

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 25.11 | Lab VMs 2.8.1, 25.11

              1 Reply Last reply Reply Quote 0
              • T Offline
                Trel
                last edited by

                Not the order, this part

                That's why you have to put the real IP address of the server in the pass rules, not the WAN address.

                1 Reply Last reply Reply Quote 0
                • johnpozJ Offline
                  johnpoz LAYER 8 Global Moderator
                  last edited by

                  Its already in there where it says
                  Inbound NAT rules such as Port Forwards (including rdr pass and UPnP)

                  Before the the other rules.

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 25.11 | Lab VMs 2.8.1, 25.11

                  1 Reply Last reply Reply Quote 0
                  • T Offline
                    Trel
                    last edited by

                    I did say in an FAQ.  It much clarifies it.
                    I had to read up on NAT to understand it myself when I initially setup my firewall, having it in the FAQ would have made it much easier to understand.

                    1 Reply Last reply Reply Quote 0
                    • DerelictD Offline
                      Derelict LAYER 8 Netgate
                      last edited by

                      A FAQ for this forum is desperately needed.

                      ![Screen Shot 2015-05-21 at 2.50.50 PM.png](/public/imported_attachments/1/Screen Shot 2015-05-21 at 2.50.50 PM.png)
                      ![Screen Shot 2015-05-21 at 2.50.50 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2015-05-21 at 2.50.50 PM.png_thumb)

                      Chattanooga, Tennessee, USA
                      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2026 Rubicon Communications LLC (Netgate). All rights reserved.