civdef2019-09-18 17:04:42
civdef, 2019-09-18 17:04:42

Port forwarding does not work when a white ip is provided by the provider's NAT on the external interface, why?

Hello, there is pfsense with two interfaces, let's call them internal and external. The provider uses Nat to give a white address to the external interface. Port forwarding is performed on the server from the external interface to the service behind the internal interface. When accessing the external interface, port forwarding works. When accessing a white ip (which is provided using nat) does not work. Why does this configuration not work and how to make it work?

Answer the question

In order to leave comments, you need to log in

4 answer(s)
Nikolay, 2018-04-24

position: absolute

Drno, 2019-09-18

And what ip is shown FOR NAT, for example on 2ip?
Maybe you have an internal IP on the interface?

Alexander, 2019-09-18

the concepts of NAT and White IP are mutually exclusive. If you have NAT, then you cannot have a white IP, and if you have a white IP and everything works, then this is definitely not NAT.
Since it doesn’t work, then most likely you have NAT and it doesn’t even smell like a white IP.

iddqda, 2019-09-19

When accessing the external interface, port forwarding works.
When accessing a white ip does not work
circulation from where?
if from inside, then it doesn't work correctly,
S - external address of the server
s - internal address of the server
c - internal address of the client
(src->dst) - IP packet with source and destination addresses
1. you send a packet from the client to the external address of the server (with -> S)
2. the packet goes through the firewall, which does port-forwarding i.e. natit external address in the internal
packet pr(c -> s)
3. server receives this packet and responds with a packet (s->c) ie. the internal address of the server is used as the outgoing address.
4. the client receives a packet from the server, but it expects a packet from address S and receives it from address s
, so it discards it and waits further
To overcome this behavior, two approaches are used:
1. hairpinning is when the left network is used to translate packets from internal clients to internal services
2. dnz view when DNS keeps a separate zone with internal addresses for internal clients.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question