Private address showing up as destination



  • Hello,

    I'm noticing that my firewall log is sometimes showing my private LAN IP's as a destination when the request came from the WAN interface.  I'm using 1:1 NAT so I would expect to see the public IP associated to that internal IP.  Here is an example:

    May 7 14:00:49  WAN  Default deny rule IPv4 (1000000103)  199.188.67.167:56832  172.16.2.86:135    TCP:S

    What am I missing?

    Thanks ahead of time.


  • Netgate

    NAT happens before the firewall.  So the IP address is being translated then the firewall says port 135 is blocked.

    That's why you have to put the real IP address of the server in the pass rules, not the WAN address.



  • Thanks for the response!

    Ok that totally makes sense.

    Thanks again.



  • @Derelict:

    NAT happens before the firewall.  So the IP address is being translated then the firewall says port 135 is blocked.

    That's why you have to put the real IP address of the server in the pass rules, not the WAN address.

    That line, exactly how you wrote it should be in an FAQ.


  • Rebel Alliance Global Moderator

    where exactly do you think it should go - the firewall processing order is already documented

    https://doc.pfsense.org/index.php/Firewall_Rule_Processing_Order
    More accurately, the following order (still simplified) is found in the ruleset (Check /tmp/rules.debug):

    Outbound NAT rules
        Inbound NAT rules such as Port Forwards (including rdr pass and UPnP)
        NAT rules for the Load Balancing daemon (relayd)
        Rules dynamically received from RADIUS for OpenVPN and IPsec clients
        Internal automatic rules (pass and block for various items like lockout, snort, DHCP, etc.)
        User-defined rules:
            Rules defined on the floating tab
            Rules defined on interface group tabs (Including OpenVPN)
            Rules defined on interface tabs (WAN, LAN, OPTx, etc)
        Automatic VPN rules



  • Not the order, this part

    That's why you have to put the real IP address of the server in the pass rules, not the WAN address.


  • Rebel Alliance Global Moderator

    Its already in there where it says
    Inbound NAT rules such as Port Forwards (including rdr pass and UPnP)

    Before the the other rules.



  • I did say in an FAQ.  It much clarifies it.
    I had to read up on NAT to understand it myself when I initially setup my firewall, having it in the FAQ would have made it much easier to understand.


  • Netgate

    A FAQ for this forum is desperately needed.

    ![Screen Shot 2015-05-21 at 2.50.50 PM.png](/public/imported_attachments/1/Screen Shot 2015-05-21 at 2.50.50 PM.png)
    ![Screen Shot 2015-05-21 at 2.50.50 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2015-05-21 at 2.50.50 PM.png_thumb)