Unxpected firewall rule added when doing a NAT portforward



  • I am interested in the correct way to port forward a few select ports in pfsense from the internet to my Xbox 360. This is my current pfsense interface setup;

    pfsense version = 2.2.3 i386
    WAN = Comcast IP (arris modem)
    LAN = 192.168.1 (subnet)
    OPT1 = 192.168.2  (subnet)

    When I enter a port forward directly into the firewall as a pass rule, then check it with an online port checker, everything appears to be working as expected. Please reference the first two images I have attached.

    After reading many of the pfsense docs and multiple posts around the interent as well as this fourm, to correcly port-forward, we need to use NAT, Network Address Translation. As I learned in my IST220 networking course, NAT involves translating an incoming WAN packet, and translating it to the new, internal IP address of a host by stripping it out of the previous network frame and putting it into a new one bound for the host's network.

    However, when I put in the required information in the pfsense NAT form, I believe I get an incorrect firewall rule automatically generated. The rule that is automatically generated puts the internal IP of my Xbox360 as destination address for the pass rule in the firewall filter, which according to my knowledge will never work, please reference the remaining pictures attached. Since my Xbox has an internal ip, no packet from the WAN will ever have that address as the destination. In fact, every single packet that ever comes into my home network will always have a destination IP of the WAN interface, and is automatically NAT'd and routed to my computer, which is how I am making this post in the first place.

    Is this the expected behavior of the pfsense NAT automatic rule generation, or do I have some option ticked somewhere that is messing with the default settings? I find it great inconvenience to have to add an UN-associated firewall rule and NAT rule separate, and since I am very new to pfsense, feel uneasy/vulnerable opening up the ports in the firewall like in the first example mainly from what I learned in my networking class. Any ideas as to why putting the internal ip address as the destination address in the WAN firewall rule seems to work for everybody else, and is the recommended way pfsense recommends, but does not work for me?










  • Banned

    As for your "unexpected" rules, look at the "Filter rule association" which you cut off from your port forward screenshots. For the rest, I don't really think you have a clue about what you are doing. Debugging completely wrong stuff. There' s nothing wrong with the automatic rules.



  • Roger that. I'll keep looking through the docs. I have already gone through https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting, but I'll give it a second, third, fourth… read and see if there is anything I might have missed or miss interpreted as well as the rest of this forum. As for the filter rule association, it is set as "add associated filter rule". From status>system logs>firewall, it shows nothing when the port is opened, but consistently shows blocked "default deny all ipv4" with the rule added from NAT.



  • Finally got the NAT rules and portforwarding to work. Turns out that putting the internal private ip address in the destination address for the WAN interface was the correct way of doing things, while I'm still not exactly sure how/why this works. Long story short, 1+ hour with Comcast and my own modem, it turns out that whoever "provisioned" my modem for internet access did not setup anything but the default ports to be opened ie.53,80,443. Once i got to one of the higher ups, I got a new external IP address, and now all my portforwarding works. Problem solved.