Failing to get 1:1 NAT working
-
I have just put my pfSense firewall in place but I can't get my 1:1 NAT working. I have an x.y.z.88/29 subnet so the firewall IP is x.y.z.90. I am trying to route x.y.z.94 through to one of my servers but I am failing.
I have set up an IP alias with:
Interface = WAN
Address type = Single address
Address = x.y.z.94/29Then in the NAT firewall I have created a 1:1 entry:
No Binat - <empty>
Interface = WAN
Address Family = IPv4
External Subnet IP = Address x.y.z.94
Internal IP = Address 172.17.2.40
NAT Reflection = Use system defaultPort 9981 is listening on the server, but when I do an external port scan it says Timed Out. If I port scan internally, it shows Open.
What am I doing wrong?
-
@NickJH
You also need to add a firewall rule to WAN to allow access to 172.17.2.40, port 9981. -
@viragomann
Thanks. I have it working now with a WAN rule:
Interface = WAN
Address Family = IPv4
Protocol = Any
Source = <blank>
Destination = 172.17.2.40Is this correct. I never specify the x.y.z.94 IP, e.g in source.
-
@NickJH
Also state the destination port, so that tje access is linitted to it. -
@viragomann
Thanks. I actually have more ports forwarded and the target server runs its own firewall so in the past with other firewalls I have forwarded everything. I also have an outbound rule for it. -
@NickJH
You can create an alias and add all allowed ports to it. The state this alias at port in the rule. -
@viragomann Can I ask why I had to create a WAN rule at all? If I do a Port Forward, it creates one for me in the Filter Rule Association dropdown. Shouldn't this option also be there for 1:1 NAT with a possible further option to create an Outbound rule?
-
@NickJH
This would require options to state external and internal ports and the proper rule association for each.
A bit complicated and it's not, what NAT 1:1 is meant for.The sense of 1:1 is to map in external IP to an internal and also the other way round.
While port forwarding is meant to what it's name implies. And if you forward a port to an internal IP you usually also want to pass this certain traffic.