Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Copied NAT Rule Not Working

    NAT
    2
    4
    1.0k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      bsmither
      last edited by

      I have an FTP NAT with associated FW rule working fine.

      I copied this to create a MySQL NAT which created an associated FW rule.

      Comparing the config screens for each NAT and each FW rule, they are identical except for the port. (There is a preset port for (FTP) choice in the drop-down, (other) was chosen for port 3306.)

      Everything was Saved and Applied.

      Using an online port scanner service, I test port 21 and port 3306.

      Packet capture on WAN shows both tests: 21 has a 'conversation', 3306 only has one entry.

      Packet capture on LAN shows the same for 21, nothing at all for 3306.

      Nothing seen for 3306 in a state table.

      Nowhere is it mentioned, so I assume I don't have to reboot the pfSense box to get the new NAT/rule to be working.

      I have read doc.pfsense.org/index.php/Port_Forward_Troubleshooting.

      pfSense - current version - 2.2.3

      1 Reply Last reply Reply Quote 0
      • B
        bsmither
        last edited by

        This may apply to my situation:
        https://forum.pfsense.org/index.php?topic=92472.msg512368#msg512368

        Let me spend a few weeks learning how to get this sorted and then let's hope.

        1 Reply Last reply Reply Quote 0
        • B
          bsmither
          last edited by

          This is what I guess happened:

          I was running pfSense v1 (or maybe an early version of v2). The package pfBlocker was installed.

          I upgraded to pfSense 2.2.3 (or, at least, the system got upgraded to 2.2.3 - don't know if it was automatic or not, from a lower version of v2).

          Somewhere along the way, pgBlocker disappeared.

          However, aliases that were created to group additional IP addresses in that version of pfBlocker no longer had targets to resolve to.

          I will assume that the failure to properly finish parsing the alias file somehow caused pfSense to not actually apply the changes to the NAT and firewall rules, even though those changes did show in the configuration tables.

          I removed the firewall rules that used those aliases and then removed the aliases.

          I installed and enabled the latest pfBlocker package.

          The online port scanner service reports that port 3306 is open.

          I will now attempt to conduct the experiments for which I opened port 3306 in the first place.

          1 Reply Last reply Reply Quote 0
          • BBcan177B
            BBcan177 Moderator
            last edited by

            The older pfBlocker version is a separate package then pfBlockerNG. The older version is also not available for pfSense +2.2

            Here is a script to flush the old pfBlocker remnants from the config.

            https://forum.pfsense.org/index.php?topic=88443.msg491279#msg491279

            "Experience is something you don't get until just after you need it."

            Website: http://pfBlockerNG.com
            Twitter: @BBcan177  #pfBlockerNG
            Reddit: https://www.reddit.com/r/pfBlockerNG/new/

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.