Unable to setup NAT forward rule to external IP address correctly



  • Hi All,

    New to PFsense. I have setup my pfsense machine thanks to the help of this forum :)

    Now on to my issue that I am sure this is a miss understanding on my part.

    I have 2 internal lans. LAN1 and LAN2 and one WAN. I want certain source IP's on LAN2 to have their port 80 traffic diverted to an external IP. I have setup a rule I think should work but it appears to make no difference to my test device.

    I want device on 192.168.2.101 (in LAN2) to have all it's web requests diverted to an external ip (in this case as a test 192.81.131.161 , lolcats.com) I have setup this rule under NAT: Port Forwarding but it appears to make no difference to my test device.



  • LAYER 8 Global Moderator

    For possible reason??

    You do understand that If I am trying to go say www.pfsense.org and you redirect me to lolcats.com – client is still going to be asking for www.pfsense.org to that server, that server is going to say WHAT??  404, or just serve up some default page if they have it setup.  Its not going to understand the host headers the browser sends.

    You can not just redirect all http traffic to some other server - its doesn't work that way.



  • ok thanks John.

    my purpose was a that some devices on LAN2 I basically don't want access anything across port 80. I was hoping this redirect would give me that. as originally I tried blocking port 80 and 443 from certain source IP's but couldn't get that to work either. This was more an exercise to see if it worked. I was expecting a 404 or something but all traffic from that device is normal. my rule is doing nothing.

    I shall have to go back to drawing board and try something else. Trying to figure out my problems through research and persistence rather than harassing the forum but I was really stuck as to why my rule is seemly ignored when it looks OK to me.


  • LAYER 8 Global Moderator

    if you don't want devices to access site, then put a block above your normal allow rule..  Post up your lan rules..  And we can go over them.

    Rules are evaluated from top down, first rule wins.  You will have to make sure that you clear states if device had just gone to some some site with 80, and you try and go to that same site after you put in the block rule.

    You might want to make the rule reject vs just block so the device will know right away that port is blocked, vs trying multiple times and then giving timeout.  Keep in mind many sites are https (443) so you prob want to block that too or create an alias that has both 80 and 443 ports in it




  • Hi John,

    Had a quick play with what you suggested and it's currently working just as I had hoped (I have a rule for 443 as well). Thank you for the help an pointing me in the right direction it is much appreciated :)


Log in to reply