Multi-WAN and NAT Port Forwarding not working

  • Hello pfSense Forum community!

    Recently I installed a machine with 3 Ethernets (LAN + WAN1 + WAN2). I have pfSense 2.2.2 installed and MultiWAN is working properly. I created a gateway group and everyting.

    Now I need to open a port and forward it to a machine. I did open HTTPS port and I am able to access pfSense from remote… but if I need a port forwarding I can not get to pass to the server. Is not required to access to that local machine with both WAN, with one is just fine.

    WAN1 ---> pfSense:443 OK
    WAN1 ---> pfSense:8080 --> NOT WORKING

    I even tryed using same 443 port and override pfsense access.
    WAN1 ---> pfSense:443 --> NOT WORKING EITHER

    From LAN I am able to go to either and so I guess is something about NAT.

    Any help?

    Thanks :)

  • LAYER 8 Netgate

  • Of course that I already tried every documentation that I found… No luck.
    Im guessing is something about multi wan or not sure what could be

  • LAYER 8 Netgate

    Post what you've done then  NAT rules, firewall rules.  Check EVERYTHING in the list in that link including the LOCAL FIREWALL on the destination server.

  • same problem with pfsense 2.2.2 here
    clean install 3 NIC interfaces

    changed the web configurator port to 4433
    no rules at all just the first one to test port forwarding. here are the findings

    i can port forward to OPT1
    i can port forward port 8021 to LAN port 21
    i can not port forward port 443 to LAN port 443

  • LAYER 8 Netgate

    Post screenshots of your port forwards and your WAN rules.

  • LAYER 8 Netgate

    Yeah.  Please use the "Attachments" in the message composition screen.  It's FAR easier to look at what you're doing when we can instantly look at all the images side-by-side.

    Read and understand this:

    You have the destination as FIBERTEL net on your FIBERTEL interface rules.  That is wrong.

    Read and understand this:

    And this:

    You have '*' as the destination in your NAT rule even though the documentation says:

    Destination: Specifies the original destination IP address of the traffic, as seen before being translated, and will usually be WAN address.

    Yes, you will need a rule for BOTH WANs if you want it to work reliably on BOTH WANs.

  • Thank you. Or I still have something missing or I really don't understand it :(
    I tried several configs. What I am really sure is that my WAN has the port open. I can access pfSense remotly. I am just not getting port forwarding to work.

    ![Screenshot 2015-06-24 21.48.21.png](/public/imported_attachments/1/Screenshot 2015-06-24 21.48.21.png)
    ![Screenshot 2015-06-24 21.48.21.png_thumb](/public/imported_attachments/1/Screenshot 2015-06-24 21.48.21.png_thumb)

  • What is a jenkins port?

    See my attached screen shot for NATing a mail server SMTP port.  It shows the interface as the WAN2 interface, the destination address is the IP address of WAN2, the destination port on the WAN2 interface is 25 (for SMTP), the NAT IP is the internal address of the mail server, and the NAT ports are 25, again the SMTP ports.

    This NAT port forward directs traffic that is going into the WAN2 port 25 to the mail server at's port 25.

    The second screen shot shows the matching firewall rule that allows that traffic to come in and actually reach the destination machine.  You need to have both set up (hence the neat green link on the NAT page showing you that there is a linked FW rule).

    Instead of some jenkins port thingy, you should have 8080 as your port in both the NAT and FW rule.

    ![Screen Shot 2015-06-24 at 10.39.05 PM.png](/public/imported_attachments/1/Screen Shot 2015-06-24 at 10.39.05 PM.png)
    ![Screen Shot 2015-06-24 at 10.39.05 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2015-06-24 at 10.39.05 PM.png_thumb)
    ![Screen Shot 2015-06-24 at 10.42.19 PM.png](/public/imported_attachments/1/Screen Shot 2015-06-24 at 10.42.19 PM.png)
    ![Screen Shot 2015-06-24 at 10.42.19 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2015-06-24 at 10.42.19 PM.png_thumb)

  • Nope… I have 3 subnets... does it matter? Some other option to activate?
    Jenkins server:

    ![Screenshot 2015-06-25 00.07.36.png](/public/imported_attachments/1/Screenshot 2015-06-25 00.07.36.png)
    ![Screenshot 2015-06-25 00.07.36.png_thumb](/public/imported_attachments/1/Screenshot 2015-06-25 00.07.36.png_thumb)
    ![Screenshot 2015-06-25 00.09.10.png](/public/imported_attachments/1/Screenshot 2015-06-25 00.09.10.png)
    ![Screenshot 2015-06-25 00.09.10.png_thumb](/public/imported_attachments/1/Screenshot 2015-06-25 00.09.10.png_thumb)

  • Does this help?

    Locally from a computer in LAN I can access to

    ![Screenshot 2015-06-25 00.27.10.png](/public/imported_attachments/1/Screenshot 2015-06-25 00.27.10.png)
    ![Screenshot 2015-06-25 00.27.10.png_thumb](/public/imported_attachments/1/Screenshot 2015-06-25 00.27.10.png_thumb)

  • LAYER 8 Netgate

    Looks to me like the server isn't listening on port 8080.  Or at least pfSense can't connect to it.

  • I tried them and pfSense is not connecting to that port. I also tried other HTTP server on LAN ( and still having same issue.

    Is there any configuration that is not working properly or something?


  • LAYER 8 Netgate

    If you configured it correctly it would be working.  I already told you that pfSense can't connect to the server on 8080.  If it can't connect the port forward can't either.

    There is noting wrong with port forwarding in 2.2.2.  It all works as expected.  Go over everything on the port forwarding troubleshooting list.  Don't skip anything, actually look at everything and verify.

  • How are you testing remote access coming into your WANs?  Are you trying to access your WANs from a remote site as a test or some other way?

    Check your firewall logs to determine if the traffic is getting to pfSense. Set up your NAT rules to log traffic and that too should show up on the firewall logs. If you don't see the remote IP address hitting your firewall, that may be an indication that there is something else going on.

  • OK. I just fixed the access from pfSense to the server. Now using the Test Port I do get response from the server on the port. Now I will try the port forwarding all again.

    Thanks :)

Log in to reply