Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Port forward and shaping problem

    Scheduled Pinned Locked Moved NAT
    4 Posts 4 Posters 2.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      ataranji
      last edited by

      Hi,
      PC behind nat is running a webserver on port 8888. I want to expose it to the internet and at the same time limit bandwidth on ONLY that port to 1Mb/s.
      Here's the setup I do on a clean pfsense installation (ip addresses are fake for demonstration):
      WAN interface (em0):
      static ip address: 143.50.11.8/24
      default gateway: 143.50.11.1
      dns: 8.8.8.8
      LAN interface (em1):
      static ip address: 10.10.10.1/24
      PC running webserver on port 8888:
      static ip address: 10.10.10.2/24
      gateway: 10.10.10.1

      1. Firewall -> Nat -> Port Forward -> New rule
        Destination port range: from (8888)
        Redirect target ip: 10.10.10.2
        Redirect target port: 8888
        At this point once the rule is saved I can access the internal webserver at 143.50.11.8:8888.
        Port forwarding works without an issue.

      Time to add limiters
      2) Firewall -> Traffic Shaper -> Limiter -> Create new limiter
      name: 1mbps_in, bandwidth 1024Kbit/s
      name: 1mbps_out, bandwidth 1024Kbit/s
      Limiters created, now I add them to the automatically generated rule by port forwarding in WAN rules

      1. Firewall -> Rules -> Wan -> Edit rule
        I assign the 1mbps_in, 1mbps_out limiters to the rule's "In/Out" in advanced features section

      Once the rule is saved with limiters there's basically no traffic from the forwarded port.

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        NAT breaks limiters in 2.2 - or limiters break NAT. I think it depends on which way the traffic is flowing.

        This looks like it:

        https://redmine.pfsense.org/issues/4326

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • S
          Sabyre
          last edited by

          I know this is old, but it's a common result when searching for the issue.

          As added to redmine…..

          Using pfsense 2.3.2-RELEASE (amd64)

          I can confirm disabling the upload limiter solves an issue with limiters and 1:1 NAT.

          We don't use squid or any addons for that matter. Our issue was / is.... WAN / LAN interface. Aliases setup for each IP in the DHCP scope on LAN. Limiters (up/down) setup for those aliases as a firewall rule on LAN. No issues with connectivity local or WAN. The issue is with accessing servers that are WAN to LAN NATed 1:1. It's worth noting the local IP's of the servers are NOT part of the limiter IP range. The UL limiter on LAN breaks NAT reflection.

          To get around this we disabled the UL limiter. This is a temporary fix.

          I really hope this can be resolved. Seems like an issue that has been ongoing for a while.

          One thing I would like to mention... Prior to our current pfsense setup we had dual pfsense boxes using carp. Same versions, same setup. And that worked. I have a backup of that somewhere.

          "We are the music makers and we are the dreamers of the dreams" - Willy Wonka

          1 Reply Last reply Reply Quote 0
          • J
            jwt Netgate
            last edited by

            #4326 is now in Feedback.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.