4

I recently set up a pfSense router and can't get any port forwarding to work from outside my own LAN.

I have the following forwarding rule to a local server located at 10.0.1.2: enter image description here

Note that if I enable NAT reflection for this rule, then ssh -p 993 user@my-wan-ip works from my LAN, so the rule is having some effect. However it will not work from outside my LAN.

This is extra strange because I have a rule for ICMP packets that does work: enter image description here

If I disable the first rule in the image above, pings will start to fail from outside the network, so I know the firewall is working. However the second rule (the NAT firewall rule that was created when I created the port forwarding) seems to have no effect.

This worked fine using my old router. Is there anything I could be overlooking here?

Conor Taylor
  • 673
  • 2
  • 7
  • 7
  • Try making the DstAddr to * and in the destination tab there should be a "Redirect target IP" address. Place that IP in that redirection address. – LUser Feb 05 '16 at 17:50
  • @Conor Taylor, the rule as seen here is not correct. The Destination should be "WAN address". Change it and see. – Diamond Feb 05 '16 at 19:21
  • Neither of those comments are correct, all the config shown is fine as is. – Chris Buechler Feb 05 '16 at 21:38
  • So, you never picked a correct answer. Did you ever diagnose it? What was the solution? – ADJenks Nov 12 '20 at 03:23

3 Answers3

3

Your config is correct to send 993 destined to your WAN IP to 10.0.1.2 port 993.

Go through the troubleshooting steps. You can eliminate at least common problems 1, 6, 7, and 10-14 and probably more than that. https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

First I'd filter Diag>States for :993 when trying to connect from the Internet, and see what's there. If nothing, and you're not seeing any 993 blocks in the firewall log, then it's not reaching your WAN (blocked upstream somewhere). If something's there, what does it look like?

Chris Buechler
  • 2,998
  • 14
  • 18
1

If you add a Proxy ARP virtual IP address, does that make a difference?

Anti-weakpasswords
  • 181
  • 6
1

NAT reflection is disabled by default, so tests from your internal network are going to fail. From pfSense's Troubleshooting Guide:

Port forwards do not work internally unless NAT reflection has been enabled. Always test port forwards from outside the network, such as from a system in another location, or from a 3G/4G device.

I think I've tripped over this one a few times. Turn off WiFi on our phone then test with that.

sherb
  • 111
  • 3