Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Port forward and shaping problem

    NAT
    4
    4
    1870
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      ataranji last edited by

      Hi,
      PC behind nat is running a webserver on port 8888. I want to expose it to the internet and at the same time limit bandwidth on ONLY that port to 1Mb/s.
      Here's the setup I do on a clean pfsense installation (ip addresses are fake for demonstration):
      WAN interface (em0):
      static ip address: 143.50.11.8/24
      default gateway: 143.50.11.1
      dns: 8.8.8.8
      LAN interface (em1):
      static ip address: 10.10.10.1/24
      PC running webserver on port 8888:
      static ip address: 10.10.10.2/24
      gateway: 10.10.10.1

      1. Firewall -> Nat -> Port Forward -> New rule
        Destination port range: from (8888)
        Redirect target ip: 10.10.10.2
        Redirect target port: 8888
        At this point once the rule is saved I can access the internal webserver at 143.50.11.8:8888.
        Port forwarding works without an issue.

      Time to add limiters
      2) Firewall -> Traffic Shaper -> Limiter -> Create new limiter
      name: 1mbps_in, bandwidth 1024Kbit/s
      name: 1mbps_out, bandwidth 1024Kbit/s
      Limiters created, now I add them to the automatically generated rule by port forwarding in WAN rules

      1. Firewall -> Rules -> Wan -> Edit rule
        I assign the 1mbps_in, 1mbps_out limiters to the rule's "In/Out" in advanced features section

      Once the rule is saved with limiters there's basically no traffic from the forwarded port.

      1 Reply Last reply Reply Quote 0
      • Derelict
        Derelict LAYER 8 Netgate last edited by

        NAT breaks limiters in 2.2 - or limiters break NAT. I think it depends on which way the traffic is flowing.

        This looks like it:

        https://redmine.pfsense.org/issues/4326

        Chattanooga, Tennessee, USA
        The pfSense Book is free of charge!
        DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • S
          Sabyre last edited by

          I know this is old, but it's a common result when searching for the issue.

          As added to redmine…..

          Using pfsense 2.3.2-RELEASE (amd64)

          I can confirm disabling the upload limiter solves an issue with limiters and 1:1 NAT.

          We don't use squid or any addons for that matter. Our issue was / is.... WAN / LAN interface. Aliases setup for each IP in the DHCP scope on LAN. Limiters (up/down) setup for those aliases as a firewall rule on LAN. No issues with connectivity local or WAN. The issue is with accessing servers that are WAN to LAN NATed 1:1. It's worth noting the local IP's of the servers are NOT part of the limiter IP range. The UL limiter on LAN breaks NAT reflection.

          To get around this we disabled the UL limiter. This is a temporary fix.

          I really hope this can be resolved. Seems like an issue that has been ongoing for a while.

          One thing I would like to mention... Prior to our current pfsense setup we had dual pfsense boxes using carp. Same versions, same setup. And that worked. I have a backup of that somewhere.

          "We are the music makers and we are the dreamers of the dreams" - Willy Wonka

          1 Reply Last reply Reply Quote 0
          • jwt
            jwt Netgate last edited by

            #4326 is now in Feedback.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post

            Products

            • Platform Overview
            • TNSR
            • pfSense
            • Appliances

            Services

            • Training
            • Professional Services

            Support

            • Subscription Plans
            • Contact Support
            • Product Lifecycle
            • Documentation

            News

            • Media Coverage
            • Press
            • Events

            Resources

            • Blog
            • FAQ
            • Find a Partner
            • Resource Library
            • Security Information

            Company

            • About Us
            • Careers
            • Partners
            • Contact Us
            • Legal
            Our Mission

            We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

            Subscribe to our Newsletter

            Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

            © 2021 Rubicon Communications, LLC | Privacy Policy