Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Multi-WAN and NAT Port Forwarding not working

    Scheduled Pinned Locked Moved Routing and Multi WAN
    17 Posts 4 Posters 5.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      Blunk
      last edited by

      Hello pfSense Forum community!

      Recently I installed a machine with 3 Ethernets (LAN + WAN1 + WAN2). I have pfSense 2.2.2 installed and MultiWAN is working properly. I created a gateway group and everyting.

      Now I need to open a port and forward it to a machine. I did open HTTPS port and I am able to access pfSense from remote… but if I need a port forwarding I can not get to pass to the server. Is not required to access to that local machine with both WAN, with one is just fine.

      WAN1 ---> pfSense:443 OK
      WAN1 ---> pfSense:8080 --> 10.0.2.2:8080 NOT WORKING

      I even tryed using same 443 port and override pfsense access.
      WAN1 ---> pfSense:443 --> 10.0.2.2:443 NOT WORKING EITHER

      From LAN I am able to go to either 10.0.2.2:8080 and 10.0.2.2:443 so I guess is something about NAT.

      Any help?

      Thanks :)

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • B
          Blunk
          last edited by

          Of course that I already tried every documentation that I found… No luck.
          Im guessing is something about multi wan or not sure what could be

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            Post what you've done then  NAT rules, firewall rules.  Check EVERYTHING in the list in that link including the LOCAL FIREWALL on the destination server.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • T
              theruck
              last edited by

              same problem with pfsense 2.2.2 here
              clean install 3 NIC interfaces
              WAN
              LAN
              OPT1

              changed the web configurator port to 4433
              no rules at all just the first one to test port forwarding. here are the findings

              i can port forward to OPT1
              i can port forward port 8021 to LAN port 21
              i can not port forward port 443 to LAN port 443

              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by

                Post screenshots of your port forwards and your WAN rules.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • B
                  Blunk
                  last edited by

                  This is what I have

                  https://www.dropbox.com/s/0nw76fa16cb1joe/Screenshot%202015-06-22%2011.41.54.png?dl=0
                  https://www.dropbox.com/s/mck8nzdsfcsbydu/Screenshot%202015-06-22%2011.42.06.png?dl=0
                  https://www.dropbox.com/s/gs275hg3zmdjkiy/Screenshot%202015-06-22%2011.42.14.png?dl=0
                  https://www.dropbox.com/s/c2bw7mav2te8uze/Screenshot%202015-06-22%2011.41.59.png?dl=0

                  Any clues?

                  1 Reply Last reply Reply Quote 0
                  • DerelictD
                    Derelict LAYER 8 Netgate
                    last edited by

                    Yeah.  Please use the "Attachments" in the message composition screen.  It's FAR easier to look at what you're doing when we can instantly look at all the images side-by-side.

                    Read and understand this:

                    https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting

                    You have the destination as FIBERTEL net on your FIBERTEL interface rules.  That is wrong.

                    Read and understand this:

                    https://doc.pfsense.org/index.php/How_can_I_forward_ports_with_pfSense

                    And this:

                    https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

                    You have '*' as the destination in your NAT rule even though the documentation says:

                    Destination: Specifies the original destination IP address of the traffic, as seen before being translated, and will usually be WAN address.

                    Yes, you will need a rule for BOTH WANs if you want it to work reliably on BOTH WANs.

                    Chattanooga, Tennessee, USA
                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    1 Reply Last reply Reply Quote 0
                    • B
                      Blunk
                      last edited by

                      Thank you. Or I still have something missing or I really don't understand it :(
                      I tried several configs. What I am really sure is that my WAN has the port open. I can access pfSense remotly. I am just not getting port forwarding to work.

                      ![Screenshot 2015-06-24 21.48.21.png](/public/imported_attachments/1/Screenshot 2015-06-24 21.48.21.png)
                      ![Screenshot 2015-06-24 21.48.21.png_thumb](/public/imported_attachments/1/Screenshot 2015-06-24 21.48.21.png_thumb)

                      1 Reply Last reply Reply Quote 0
                      • T
                        tim.mcmanus
                        last edited by

                        What is a jenkins port?

                        See my attached screen shot for NATing a mail server SMTP port.  It shows the interface as the WAN2 interface, the destination address is the IP address of WAN2, the destination port on the WAN2 interface is 25 (for SMTP), the NAT IP is the internal address of the mail server, and the NAT ports are 25, again the SMTP ports.

                        This NAT port forward directs traffic that is going into the WAN2 port 25 to the mail server at 10.0.1.240's port 25.

                        The second screen shot shows the matching firewall rule that allows that traffic to come in and actually reach the destination machine.  You need to have both set up (hence the neat green link on the NAT page showing you that there is a linked FW rule).

                        Instead of some jenkins port thingy, you should have 8080 as your port in both the NAT and FW rule.

                        ![Screen Shot 2015-06-24 at 10.39.05 PM.png](/public/imported_attachments/1/Screen Shot 2015-06-24 at 10.39.05 PM.png)
                        ![Screen Shot 2015-06-24 at 10.39.05 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2015-06-24 at 10.39.05 PM.png_thumb)
                        ![Screen Shot 2015-06-24 at 10.42.19 PM.png](/public/imported_attachments/1/Screen Shot 2015-06-24 at 10.42.19 PM.png)
                        ![Screen Shot 2015-06-24 at 10.42.19 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2015-06-24 at 10.42.19 PM.png_thumb)

                        1 Reply Last reply Reply Quote 0
                        • B
                          Blunk
                          last edited by

                          Nope… I have 3 subnets... does it matter? Some other option to activate?
                          Router: 10.0.1.1
                          Jenkins server: 10.0.2.200:8080

                          ![Screenshot 2015-06-25 00.07.36.png](/public/imported_attachments/1/Screenshot 2015-06-25 00.07.36.png)
                          ![Screenshot 2015-06-25 00.07.36.png_thumb](/public/imported_attachments/1/Screenshot 2015-06-25 00.07.36.png_thumb)
                          ![Screenshot 2015-06-25 00.09.10.png](/public/imported_attachments/1/Screenshot 2015-06-25 00.09.10.png)
                          ![Screenshot 2015-06-25 00.09.10.png_thumb](/public/imported_attachments/1/Screenshot 2015-06-25 00.09.10.png_thumb)

                          1 Reply Last reply Reply Quote 0
                          • B
                            Blunk
                            last edited by

                            Does this help?

                            Locally from a computer in LAN I can access to 10.0.2.200:8080

                            ![Screenshot 2015-06-25 00.27.10.png](/public/imported_attachments/1/Screenshot 2015-06-25 00.27.10.png)
                            ![Screenshot 2015-06-25 00.27.10.png_thumb](/public/imported_attachments/1/Screenshot 2015-06-25 00.27.10.png_thumb)

                            1 Reply Last reply Reply Quote 0
                            • DerelictD
                              Derelict LAYER 8 Netgate
                              last edited by

                              Looks to me like the server isn't listening on port 8080.  Or at least pfSense can't connect to it.

                              https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting

                              https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

                              Chattanooga, Tennessee, USA
                              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                              Do Not Chat For Help! NO_WAN_EGRESS(TM)

                              1 Reply Last reply Reply Quote 0
                              • B
                                Blunk
                                last edited by

                                I tried them and pfSense is not connecting to that port. I also tried other HTTP server on LAN (10.0.2.2:80) and still having same issue.

                                Is there any configuration that is not working properly or something?

                                Thanks

                                1 Reply Last reply Reply Quote 0
                                • DerelictD
                                  Derelict LAYER 8 Netgate
                                  last edited by

                                  If you configured it correctly it would be working.  I already told you that pfSense can't connect to the server on 8080.  If it can't connect the port forward can't either.

                                  There is noting wrong with port forwarding in 2.2.2.  It all works as expected.  Go over everything on the port forwarding troubleshooting list.  Don't skip anything, actually look at everything and verify.

                                  Chattanooga, Tennessee, USA
                                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                  1 Reply Last reply Reply Quote 0
                                  • T
                                    tim.mcmanus
                                    last edited by

                                    How are you testing remote access coming into your WANs?  Are you trying to access your WANs from a remote site as a test or some other way?

                                    Check your firewall logs to determine if the traffic is getting to pfSense. Set up your NAT rules to log traffic and that too should show up on the firewall logs. If you don't see the remote IP address hitting your firewall, that may be an indication that there is something else going on.

                                    1 Reply Last reply Reply Quote 0
                                    • B
                                      Blunk
                                      last edited by

                                      OK. I just fixed the access from pfSense to the server. Now using the Test Port I do get response from the server on the port. Now I will try the port forwarding all again.

                                      Thanks :)

                                      1 Reply Last reply Reply Quote 0
                                      • First post
                                        Last post
                                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.