NAT problem with an Alias containing multiple ports



  • Hello,

    I'm just testing out pfSense to possibly replace our current IPCop setup, and have run into a problem.

    We have a couple webservers here, so to save time when setting up the NAT and Rules entries, I created a PORT_WEB alias containing ports 80, 443 and 3389.  In the NAT entry I've set the external port range "from" dropdown to (other) and entered PORT_WEB in the textbox, and then left the "to" settings at (other) and blank.  Then in the local port dropdown I've also selected (other) and again typed PORT_WEB in the textbox.

    So now when I try to connect on port 80, everything is fine.  But then when I try to connect to either port 443 or 3389, I end up connecting to port 80.  Just to test if it was going to port 80 because it was the first port in the list I tried re-entering my PORT_WEB alias in the reverse order, so now it was 3389, 443, 80, and sure enough connection attempts to any of those 3 ports all went to port 3389.

    So did I miss something when setting up my NAT entry, or can a multiple single port alias not be used in this way?  It's not a huge problem since I can enter them individually, but it would have been a real time saver if this had worked.

    Thanks,
    Rick



  • Similar problem here.

    I'm running pfSense 1.2.1 live from the CD as a test, in hopes that it can be used more permanently.
    I've got an alias defined that contains the same ports (80,443,3389), and in the same order.  80 is the first port defined in the alias.

    I have a NAT rule using this port alias that has automatically created a firewall rule for me,
    and… this rule works for me over port 80, but not over port 443.

    If however, I add an additional NAT rule that specifies port 443 instead of referencing my port alias, and give that rule higher precedence over that of the rule using the port alias,
    my test is a success... even across port 443.

    I too would like to know if I have overlooked something.
    Any suggestions you can offer are more than welcome.

    Thanks


Log in to reply