Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Port Forward NAT is not working

    Scheduled Pinned Locked Moved NAT
    8 Posts 3 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      altiris
      last edited by

      (Ive had NAT working before but I changed some settings and messed everything up)

      Alright so before I get into anything, I am using "Proxy ARP" for Virtual IP….so maybe that is the problem, idk which to use. I made another post asking to explain the differences of the VIPs (I have the pfsense gold book and I read it but I still dont understand)

      Anyway, I have a block fo 5 IPs, one is assigned to WAN interface and another I want to use to assign to a server, so I went to Firewall > NAT > Port Forward and made a port forward rule accordingly, firewall rule got created automatically. Example below,


      (I blocked out IP for privacy reasons)

      The NAT IP is not on LAN interface, it is on OPT1 interface and I made a firewall rule to allow everything from OPT1 to LAN….remember I stated above I had this working fine a few months ago so I think the problem is due to the Virtual IP as that is what I changed.

      This is the Virtual IP,

      http://i.imgur.com/BMh7MMu.png

      I would really appreciate if you guys could help me out with this one! Thanks!

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        Pretty sure you should be using IP alias fir the vip.  and mask should be the mask you have for the IP your using - have to assume your 5 address you have are all in the same block.

        then once you create the vip you would pick that as the dest in your nat rule.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • DerelictD
          Derelict LAYER 8 Netgate
          last edited by

          https://doc.pfsense.org/index.php/What_are_Virtual_IP_Addresses

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • A
            altiris
            last edited by

            @johnpoz:

            Pretty sure you should be using IP alias fir the vip.  and mask should be the mask you have for the IP your using - have to assume your 5 address you have are all in the same block.

            then once you create the vip you would pick that as the dest in your nat rule.

            I changed to IP alias, I forget what to put for the mask, its on 32 by default….I checked my WAN interface and it is set to 24 so I should put 24 as well?. My 5 IPs are all on the same black, they are 96.242.131.x and they all are increments. I went back to NAT rules and it seemd to put it to that virtual IP for me now.

            1 Reply Last reply Reply Quote 0
            • DerelictD
              Derelict LAYER 8 Netgate
              last edited by

              Proxy ARP VIP should have worked too.  Did changing to IP Alias fix the forward?  How were you testing?

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • A
                altiris
                last edited by

                @Derelict:

                Proxy ARP VIP should have worked too.  Did changing to IP Alias fix the forward?  How were you testing?

                It seemed to have fix it at least for web server, I checked it by accessing my domain name myself, asking a friend to access it and using a website to check if the domain name was up and all were able to access. I asked my friend to check if he could access my external IP also and it worked. However if I try accessing my FTP server or minecraft game with external IP I can't, internal works fine…..really strange. I would like to note I have NAT reflection set to "Disabled"

                1 Reply Last reply Reply Quote 0
                • A
                  altiris
                  last edited by

                  @Derelict:

                  Proxy ARP VIP should have worked too.  Did changing to IP Alias fix the forward?  How were you testing?

                  Did some more tests and for some odd reason, almost all ports are opened except for a select few.

                  1 Reply Last reply Reply Quote 0
                  • DerelictD
                    Derelict LAYER 8 Netgate
                    last edited by

                    https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

                    Chattanooga, Tennessee, USA
                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.