next »

[NoMiT]

Hello all, Thanks for in advance for reading my question.

My Pfsense setup is on a /16 subnet(The lan interface is 192.168.1.1/16) with devices ranging from 192.168.0-255.0-255 and they all can use the gateway fine and access the WAN correctly.

However I simply do not understand what Port forwarding is doing.

If I forward port 7000 from a WAN address to a device on the lan(192.168.1.232/16 for example) it will not work, UNLESS I change the subnet on the 192.168.1.232 device to /24.

Example addresses of Port forwarding working
192.168.1.232 With a Subnet of 255.255.255.0
192.168.13.180 With a Subnet of 255.255.255.0

Example addresses of Port forwarding not working
192.168.1.232 With a Subnet of 255.255.0.0
192.168.13.180 With a Subnet of 255.255.0.0


I have tried different ports/devices and everytime it only works if the lan device is set to a /24 subnet.

Any ideas?

[marcelloc]

I have nat configured on /22 networks with no issues, can you post a screenshot of your nat rule?

[cmb]

what's the source IP of the host you're port forwarding traffic from? Out on the Internet, or on a private network? my first guess is you're forwarding in from a 192.168.x.x network and hosts with a /16 mask see that as a local network, which means the replies won't go anywhere.

[NoMiT]

Thank you guys for the replies. I posted 3 images. One of my LAN interface, one of the port forward, and one of the related rule.

I am forwarding the port from WAN address which is a public facing IP on a /5 subnet (It is not a 192 address)

[marcelloc]

I did not found erros on your config.
Do your wan has a valid ip?

[NoMiT]

Yes it has a valid wan ip, and I can access the internet via internal devices on both /24 and /16 subnets, but the really odd part is that the ports forwards work fine if I change the device to a /24.

Right now the websites in question are available and being used (Because I switched their internal ip to a /24), but it is really annoying to have to segment parts of our internal network for no logical reason.

[cmb]

Time to packet capture, start with the LAN on the firewall, filter on the destination host's IP. If you see it leaving there, go to the target server and capture.