Cannot PF/NAT to save my life...
-
@Elmojo said in Cannot PF/NAT to save my life...:
So is it a public or a private??
My IP is public, I believe. It's not static, and is subject to change whenever my router reboots, or if my ISP feels like it, if that makes any difference.
Private in this case would mean that you are on the ISP's internal IP range and you are behind their FW and NAT. If you look at the IP that pfsense is listing under Interfaces - WAN, and compare to what https://www.whatismyip.com/ reports. Are they the same or different?
If different, you are NATed and will not be able to reach your servers from the outside in the simple way you intended.
Your option then is to call up the ISP and ask for a public IP, or use a VPN service that works for this type of setup. -
@Gblenn said in Cannot PF/NAT to save my life...:
If you look at the IP that pfsense is listing under Interfaces - WAN
No IP is shown on that screen, it just says "IPv4 Configuration Type: DHCP"
However, if I look at the pfsense dashboard, at the section under 'Gateways" and compare that to whatismyIP.com, I see that I'm getting different IPs. Is that what you mean?
If so, then it appears I'm NAT'd.
That would explain why none of the services I've tried to set up over the years have worked properly. I just can't imagine why no one has had me do this simple check! -
@Elmojo said in Cannot PF/NAT to save my life...:
I see that I'm getting different IPs. Is that what you mean?
Exactly. This is, what I tried hard to find out without success.
If you say "it's public, not private" you should know, what's the difference. Otherwise you should ask, how to determine.
-
@viragomann I'm very sorry, but I have extreme difficulty understanding you. I appreciate you trying to help, though. Thanks!
-
@Elmojo said in Cannot PF/NAT to save my life...:
@Gblenn said in Cannot PF/NAT to save my life...:
If you look at the IP that pfsense is listing under Interfaces - WAN
No IP is shown on that screen, it just says "IPv4 Configuration Type: DHCP"
However, if I look at the pfsense dashboard, at the section under 'Gateways" and compare that to whatismyIP.com, I see that I'm getting different IPs. Is that what you mean?
If so, then it appears I'm NAT'd.
That would explain why none of the services I've tried to set up over the years have worked properly. I just can't imagine why no one has had me do this simple check!Yes unfortunately it would appear that you are NATed.
But there are ways to solve this, and the first thing would be to call your ISP and say that you want a public IP. Not that they should require a reason for it but how about you need to access your security cameras for example...
Depending on ISP, they may ask for a fee, which I think is outrageous, but some do. Anyway, if that is the case, and it feels like it will be too costly, I'd look at setting up a VPN instead. I believe there are free versions that should work, but it can't just be any VPN. It has to be someone that will provide your own IP at the "end of the tunnel" so to speak...
Another solution that is quite easy to set up is Tailscale. https://tailscale.com/
It is also a VPN solution of sorts, and they even have a plugin for pfsense. You will need to install a client on each device that you want to use to access your home, like your phone, laptop etc. I belive with the free version you can have up to 3 clients.
Then you set up Tailscale on pfsense, or in a docker container if you prefer that, as the "access node" and via that your clients can access your entire LAN or parts of it, however you want to set it up. -
@Elmojo said in Cannot PF/NAT to save my life...:
. I just can't imagine why no one has had me do this simple check!
And where are your threads where you asked about port forwarding? This is always the first thing to validate when users having issues. 2nd on even after they say they have public is simple sniff on their wan while they run say a check from can you see me . org - do you see the traffic.. If not there is nothing pfsense can do.. It can not forward what it never sees.
I don't know you worked with before - but I find it highly unlikely that I would not have run across threads or multiple threads here asking for help with port forwarding... I have been here many many years.. And yeah first thing to validate is on a public IP, and traffic actually gets to pfsense... Its pointless even to look at what they are doing with forwarding or rules without knowing the traffic is actually getting to pfsense.
-
@johnpoz said in Cannot PF/NAT to save my life...:
where are your threads where you asked about port forwarding?
Mostly on Reddit. I had a couple threads here a while back, but I can't recall if they were about forwarding or not. I'm not wild about how this forum handles replies and stuff, although the folks here have been nothing but helpful. :)
-
@Elmojo well doing the packet capture to validate traffic even gets to pfsense to forward is right there in the docs
Where you actually in pfsense section or the homenetworking reddit where its mostly the blind leading the blind. And most them only have any experience is with your typical home wifi router, that can not even do a packet capture, etc.
-
@johnpoz I don't believe I've ever seen that particular doc page. It looks helpful.
I don't recall which subs I was on. I can't see how it matters now anyway.
Now that I know I'm stuck behind a NAT, I have at least an idea of what needs to be fixed.
I've spoken to my ISP, and they are 100% clueless. They don't even know what a public IP is. They are all in India, and are all reading from scripts. I've asked to speak with a higher level tech, and I'm told there are "none available at this time".
This company (Brightspeed) sucks so bad, but they are literally my only option in this area, other than satellite internet, which doesn't interest me.
It appears that my only option is to pay $15/month extra for a static IP. I'm considering it. -
@Elmojo satellite is almost always going to be cgnat as well anyway.
How is it you spoke to your isp and they are clueless - but you can get a static IP for 15 bucks a month? You mean through some vpn solution that does port forwarding?
Are you wanting this rustdesk to open to the public? Or for your own consumption while your out and about? Do you support multiple clients and you want to run their hbbs/hbbr server so you can support other clients? to talk to each other?
What is the end goal for wanting to install this software.. Remote control of other machines or your own machines there are like a bajillion ways to skin that cat..
-
@johnpoz said in Cannot PF/NAT to save my life...:
satellite is almost always going to be cgnat as well anyway.
Which is why I'm not interested.
I can actually get pretty great cellular home internet for $50/month through T-Mobile, but it's the same deal: cgnat, no option for static IP.@johnpoz said in Cannot PF/NAT to save my life...:
How is it you spoke to your isp and they are clueless - but you can get a static IP for 15 bucks a month?
Because they list it as an add-on option on their web site. But when I speak with their "tech support" people, they barely even know what an IP address is, let alone the difference between a public or private external IP, or what it means to be NAT'd.
@johnpoz said in Cannot PF/NAT to save my life...:
Are you wanting this rustdesk...
Rustdesk is just one of several containers that I've been trying to expose to external access without success for a couple years now. Each time, I always just hit a wall of frustration and give up. Now I know it was because it was never going to work as long as my ISP is monkeying with my IP. lol
Once I get a static IP, I suspect all the tutorials I've been attempting to follow will suddenly work as expected, and things will go much more smoothly.
I realize there are other ways around it. I'm already running ZeroTier for remote access of my server at work, and it's been great. However, I'd prefer not to have to jump through all those extra hoops, and put extra clients in the loop, for each service I want to run externally. It would be far easier if things just worked. I may be wrong, and please tell me if I'm misunderstanding how this all works, but I think a static public IP would solve all that, right? -
@Elmojo it doesn't even have to be "static" you just want a public IP that is can get unsolicited inbound traffic. Quite often when you have a public IP via dhcp, even though not "static" it rarely changes... I have had the same IP for years at a time... The last time it changed was when my isp merged with another isp and they redid their whole IP structure... But since then I have had the same IP..
Now to get around them using cgnat for you, its quite possible they will give you a static for a fee.. But it doesn't really have to be static, as long as its not changing like very hour or every 24 hours or something should be fine.. DDNS is a way to keep some public record updated with what your public IP is.
You just need for it to be able to get a public one that people can send traffic too that you see.. You sure you don't just have a isp device in front of pfsense that has the public IP?
Pfsense wan IP shows what? 10.x, 192.168.x.x or 172.16-12.x.x ? This rfc1918 space.. Normally ISP would not use this range for cgnat... They would use 100.64.0.0 thru 100.127.255.255, this is the range 10.64.0.0/10
What does your pfsense wan IP show?
If you go to status interfaces.. What does it show for pfsense wan?
Maybe your isp device in front of pfsense is just doing normal nat? And gives pfsense say a 192.168.x.x, 10.x.x.x, or 172.16-31.x.x adderess? if pfsense IP is 100.64-127.x.x then yeah that is the cgnat range.
If its just your isp device your plugging pfsense into - they can quite often be put into bridge mode, that passes the public IP to pfsense wan.. Or even if not, you can setup pfsense in what is call dmz host mode, where all unsolicited inbound traffic to your actual public IP is forwarded to pfsense wan IP.
-
@johnpoz This is helpful, thank you. I'll respond in the morning more fully when my eyes aren't crossed. lol
-
@johnpoz said in Cannot PF/NAT to save my life...:
it doesn't even have to be "static" you just want a public IP that is can get unsolicited inbound traffic. Quite often when you have a public IP via dhcp, even though not "static" it rarely changes...
Unfortunately, my ISP are idiots, and no one I've spoken with so far even knows the difference between a static and dynamic IP. The last person told me that my IP was likely to change "due to the activity of my devices". Uh huh, right.
Also, mine changes quite often. My internet just...drops...about 2-3 times per month, and I get a new IP every time it comes back up. So every couple weeks at least, I have a new IP to deal with. It's maddening, to say the least.@johnpoz said in Cannot PF/NAT to save my life...:
You sure you don't just have a isp device in front of pfsense that has the public IP?
I'm fairly sure, but honestly I wouldn't trust that this DSL modem (it's a Zyxel c3000z) isn't pulling some shenanigans without my knowledge. I jumped through all the hoops to get it into bridge mode (I know that's not the proper term, just can't recall exactly what we did right now) so that I can use my pfsense box as the true router.
@johnpoz said in Cannot PF/NAT to save my life...:
Pfsense wan IP shows what?
Looks like this:
Does that help?Sorry for the delay. Today ended up being unexpectedly crazy.
-
@Elmojo that is a public IP.. that is not rfc1918 or cgnat range..
How often it changes - is workable.. especially if its not like every hour or something..
So do a simple test.. Go "can you see me . org".. I didn't put that together but hope you can figure out what the domain is
Now pick a port any port lets call it 6666, send some traffic to the IP it shows for yours.. While you do a packet capture (under diag menu)... Do you see this traffic..
Here doing the same test..
Doesn't matter if fails, what we are looking for is actually gets to pfsense wan interface.. You prob want to verify that the IP can you see me shows is the same IP pfsense has for its wan.. If not maybe your behind a proxy?? But those IPs should be the same.. See mine starts with 209, from what your posted should start with 75 and last number should be 75.. Should be the same address.. Now on your packet capture do you see that traffic get to pfsense... See how my test failed (because I have nothing listening on that port) but you can see that pfsense saw it..
If you see the traffic then we can for sure get stuff working for you, and your good to go - and we can work out how to setup a ddns so a fqdn (fully qualified domain name) points to your public IP - even if it changes down the road, and will be updated if does in like 5 minutes.. etc.. But first thing we need to validate is traffic that is unsolicited can be seen by pfsense. That is what this test will validate.
edit: I just looked and the IP you last talked to the forums does line up with that 75.x.x.75 address - I see some other ones in a different range 174.x.x.x and another one that is close to the 75.x.x.75 address but slightly different network.. What I can not tell is how long ago those other IPs were used.. But currently your IP you talked to the forum with does line up with what you posted.. Maybe those 174 address was you talking to the forum from your phone, or elsewhere - or maybe your IP does change, but again to be honest even if changed every hour - as long as you can get to it from the public internet we can work with that.. If it changes every hour it could be problematic - but still workable.. We really just need to validate that pfsense can see unsolicited inbound traffic so we can forward it to something behind pfsense.
-
@johnpoz Oh man, thank you so much. This is super helpful!
Okay, I ran the capture, using that example port.
Here's the result...
Is it odd to have that 1st line in there? This is the result of a single "ping" of the canyouseeme tool.
I don't think I've ever seen an IP in the 52.x range.
In any case, you're correct, it's getting to by pfsense box in some form, so that's good, right?!@johnpoz said in Cannot PF/NAT to save my life...:
I just looked and the IP you last talked to the forums does line up with that 75.x.x.75 address - I see some other ones in a different range 174.x.x.x
Those are both me. My IP was in the 174.x range until recently. It just changed to the 75.x last week.
I swear, these clowns (my ISP) are all over the map. lol -
@Elmojo Well that means you answerd.. that 52 address is the can you see me site sending traffic to you.. You shouldn't of sent an answer.. Unless you have a "reject" rule o your wan? Or you had something listening on port 6666?
That is why you saw what you saw, but you see 3 attempts trying to talk to my IP on that port.. What are your wan rules - it is normally bad practice to setup a reject on your public facing interface.. Because your going to case pfsense to send traffic for every little noise that hits your public IP..
But yes that is good news - we can see the traffic coming to pfsense, so yes we can forward that to something behind pfsense.. And you should be good to go..
If you had a reject rule on the top of your wan lists, that could explain why none of your port forward attempts worked.. because your reject rule blocked it from getting to your port forward allow rule.
Could you post a picture of your wan rules? Here is mine as example - you will see multiple port forwards
The reject I have are for specific ports, for traceroute to work to my public IP.. Not something you would normally see, but I have it for a specific reason.. And I understand exactly what its there for ;) Normally you would not want reject rules on your wan.. Lan side they can be very useful - but normally not good to put reject on your wan side interface that faces the public internet. You would just use block, which just drops traffic and doesn't answer in anyway.
Do you have any rules in the floating tab?
-
@johnpoz said in Cannot PF/NAT to save my life...:
Unless you have a "reject" rule o your wan?
I do indeed. I was placed there buy user "silence", who was helping me get things set up. I have no clue what it does, they just told me it was a good idea. :)
Here are my rules:
You see that most of them are disabled. Those are previous attempts to get various services working, which never panned out. Most of the filed attempts I deleted, but these I've left in place to remind me of what didn't work, and provide a placeholder for things I want to come back to later.No, nothing in the floating tab.
I'll also note that none of the services you see implied by these rules are currently active or working.
For exmaple, I'm not running NPM, or OpenVPN.I will say that my BlueIris remote seems to kinda work, sometimes, so maybe that one is okay? lol
-
@Elmojo well your rustdesk ones are not going to work because they are below your reject.. Rules are evaluated top down, first rule to trigger wins, no other rules are evaluated.
You really have no need for that reject all rule.. Because there is default deny at the end.. I have specific block rules at the end of mine because I do not log the default deny (I turned that off) and only want to log what those deny rules trigger on.
But your 81 port shows open
Notice those below the reject rule are 0/0 for states, that 2nd 0 means the rule has never been triggered.. Notice your 81 rule and other ones have values that means that much traffic has been allowed..
If I hit your 81 port I get this
If you want to turn the default deny, but log specific traffic then you can put a block rule at the end.. Like you see in my rules. But a reject to wan, especially a any any is not a good idea.. Your forcing pfsense to answer any bit of noise that touches your wan that you do not allow.. That is just extra traffic your sending for no valid reason.. My reject is only for specific ports, and only from US IPs, because I want to be able to run a traceroute to my IP and see the response at the end of it.
-
@johnpoz said in Cannot PF/NAT to save my life...:
You really have no need for that reject all rule
Fair enough. Like I said, especially at the time this was all set up, I knew next to nothing about rules and such, and was relying on the knowledge of others. I'll disable it.
@johnpoz said in Cannot PF/NAT to save my life...:
But your 81 port shows open
How? Did I publish my external IP somewhere? I don't mind you having it, but I'd prefer for it not to be flapping in the breeze, so to speak. lol
I'm not surprised that it's open. That service is working fairly well, until my IP changes, and I have to figure out what the new one is... I assume there's a way around that, which we'll get to, using duckDNS or similar?@johnpoz said in Cannot PF/NAT to save my life...:
a reject to wan, especially a any any is not a good idea
I'm a believer. :)
Here's my new ruleset. Does this look better?
I notice that your last rule shows "commonUDP" as the destination port. I don't see that as a selectable preset. Did you build a custom range and name it or something?