Port forward and shaping problem



  • Hi,
    PC behind nat is running a webserver on port 8888. I want to expose it to the internet and at the same time limit bandwidth on ONLY that port to 1Mb/s.
    Here's the setup I do on a clean pfsense installation (ip addresses are fake for demonstration):
    WAN interface (em0):
    static ip address: 143.50.11.8/24
    default gateway: 143.50.11.1
    dns: 8.8.8.8
    LAN interface (em1):
    static ip address: 10.10.10.1/24
    PC running webserver on port 8888:
    static ip address: 10.10.10.2/24
    gateway: 10.10.10.1

    1. Firewall -> Nat -> Port Forward -> New rule
      Destination port range: from (8888)
      Redirect target ip: 10.10.10.2
      Redirect target port: 8888
      At this point once the rule is saved I can access the internal webserver at 143.50.11.8:8888.
      Port forwarding works without an issue.

    Time to add limiters
    2) Firewall -> Traffic Shaper -> Limiter -> Create new limiter
    name: 1mbps_in, bandwidth 1024Kbit/s
    name: 1mbps_out, bandwidth 1024Kbit/s
    Limiters created, now I add them to the automatically generated rule by port forwarding in WAN rules

    1. Firewall -> Rules -> Wan -> Edit rule
      I assign the 1mbps_in, 1mbps_out limiters to the rule's "In/Out" in advanced features section

    Once the rule is saved with limiters there's basically no traffic from the forwarded port.


  • LAYER 8 Netgate

    NAT breaks limiters in 2.2 - or limiters break NAT. I think it depends on which way the traffic is flowing.

    This looks like it:

    https://redmine.pfsense.org/issues/4326



  • I know this is old, but it's a common result when searching for the issue.

    As added to redmine…..

    Using pfsense 2.3.2-RELEASE (amd64)

    I can confirm disabling the upload limiter solves an issue with limiters and 1:1 NAT.

    We don't use squid or any addons for that matter. Our issue was / is.... WAN / LAN interface. Aliases setup for each IP in the DHCP scope on LAN. Limiters (up/down) setup for those aliases as a firewall rule on LAN. No issues with connectivity local or WAN. The issue is with accessing servers that are WAN to LAN NATed 1:1. It's worth noting the local IP's of the servers are NOT part of the limiter IP range. The UL limiter on LAN breaks NAT reflection.

    To get around this we disabled the UL limiter. This is a temporary fix.

    I really hope this can be resolved. Seems like an issue that has been ongoing for a while.

    One thing I would like to mention... Prior to our current pfsense setup we had dual pfsense boxes using carp. Same versions, same setup. And that worked. I have a backup of that somewhere.


  • Netgate

    #4326 is now in Feedback.


Log in to reply