WAN port forward ton LAN ips (multi wan).

analyzerx

This is my LAN setup:

2xZYXEL 660R adsl modems…
ips: 192.168.2.1 and 192.168.3.1

WAN1 ip 192.168.2.2 gateway: 192.168.2.1
WAN2 ip 192.168.3.2 gateway: 192.168.3.1

pfsense on LAN 192.168.1.1

now what I want to do is to be able to forward some ports from one or if possible both WAN ips to some LAN ips...
for example...
port 80 on WAN1 goes to 192.168.1.10
port 3000 on WAN1 goes to 192.168.1.90

and if possible,
port 90 on WAN2 goes to 192.168.1.110

getting my drift? :/
how can I do this?

hoba

Just add portforwards at both interfaces with firewall>NAT, portforward. Make sure your Modemrouters in front of the WAN are forwarding incoming requests from wan to the pfSenses wan interfaces. Entering a DMZ IP at the Modemrouters is the easiest way to redirect ALL traffic to the WANs of the pfSense (if these modemrouters have that option).

analyzerx

I think I've done that…
modem 1 with ip 192.168.2.1 forwards all ports to 192.168.2.3

should it forward there or to something like 192.168.1.1???
I've forwarded for example port 3000 like this:

but nothing happens… o_O

hoba

make sure you have a firewall rule in place too to allow this traffic. Also check order of your firewallrules (first match wins). If you block something earlier you can't make it pass with a rule that is further down the list. Best thing is to let the firewallrules be autocreated. Also check that you have "block private subnets at WAN" at interfaces>wan disabled as your routers in front have private IPs (shouldn't be neccessary but try if this makes a difference).

analyzerx

I'm pretty pissed off with this so I removed all firewall rules, all port forwards and stuff and now have:

LAN -> any
WAN -> any

and the portforward at port 3000 :P
absolutelly nothin! o_O

block private nets is disabled and so is the second WAN just in case it get things complicated…
I don't get it... am I that stupid? o_O

JeGr

Your rule on the WAN IF seems to be wrong. You want all incoming packets TO the WAN IF to go inside, not all packets FROM the WAN IF (there are not that much with source of WAN IF).

Change it to something like:

"from all to WAN IP"

analyzerx

OW MY GOD I'LL CRY!!!

I love you both! :P eheh~ ^_^
Thanks guys… Grey thnx a million... ; )

JeGr

Your humble servant ;D
Always a pleasure.

hoba

Actually it is from source any to destination NAT IP. NAT is applied first, after that firewallrules are applied.

In you case your WAN rule should look like:
pass, interface WAN1, proto tcp, source IP any, sourceport any, destination IP 192.168.1.10, port 80 for the webserver example.

Btw, now as I look closer, why do you want to forward port 3000 to the pfsense's LAN IP itself? What is running at 3000? For these kind of things you only need to allow traffic to the WAN IP of the pfsense. no NAT rule is needed.

And another btw, it's always the easiest thing to let the pfSense create the firewallrules. Just make sure "autocreate firewall rule" at the bottom when adding a portforward is checked.

JeGr

Indeed a question, which slipped my attention. Shouldn't post after midnight make mental note

Right, you shouldn't need a NAT Rule for this, only if you want to redirect past pfsense to another network, you'll need these NAT redirects. But as I read your first post, you would like to RDR port 3000 to 192.168.1.90 so I suppose it was just a quick test, if rules work, wasn't it?

hoba

I suggest restarting from scratch. Delete all firewall rules you made for the NATs so far. Also deleta all NATs. Then apply your settings.
After that add the portforwards just to the WAN1 and WAN2 as needed and let the firewallrules be autocreated. It's really not a very difficult task to get this running.  ;)

JeGr

I guess the Zyxel are DSL Routers (or they route somehow, but DSL modems normally don't hand out private IP ranges ;) )
I further guess - based on your information - your net looks something like that, eh?

     NET           NET
      |             |
+-----+-----+ +-----+-----+
| DSL-Router| | DSL-Router|
+--------+--+ +--+--------+
   .3.1  |       | .2.1
         |       |
   OPT1  |       | WAN
         |       |
   .3.2  |       | .2.2
       +-+-------+-+
       |  PFSENSE  |
       +-----+-----+
             | 192.168.1.1
             |
             |          +--------------------+
             +----------+      Switch        |
                        +--------------------+        
                                 |  |
                     +----+      |  |      +----+
       192.168.1.90  + PC +------+  +------+ PC +  192.168.1.10
                     +----+      |  |      +----+
                                 |  |
                    others ------+  +------ others (192.168.1.110)

So you have redundant (or two seperate) DSL lines. One should be WAN, the other OPT1 (as pfSense calls it). If thats the case, that shouldn't do much trouble. As hoba already said, just let pfSense create the rule of your NAT redirect, it normally knows how to do it right ;)
If it won't work, check both Zyxel, if they route all traffic to pfSense. And also watch the logs carefully (perhaps via SSH login and watching pflog output, too) why a packet is blocked (klicking on the little icon in pfSenses logview will tell you which rule caused it)

Hope that helps,
Grey

analyzerx

I'll start from scratch tomorrow morning in any case… ^_^
It works now and I've understood some stuff much better...

Grey the network is exactly like you drew it... (btw how did you do the diagram? :P)

Both your advice are excellent and I cannot thank you enough for your help! :)
My biggest mistake was mixxing up source and target networks... I was creating wrong firewall rules...
Allowing pfsense to make the rules would be easy indeed... but it didn't work the first time I tried it, (some other mistake) so I gave up on it! :P)
hehe~

ps. hoba the 3000 port is just a test! :P my ISP doesn't allow ports 80,81 and 8080 to be used so I had to play with something else until my static ips kick in! :P

Thanks again guys!

JeGr

As you like to say "I did it from scratch" - so to speak. I just like things to be crystal clear when it comes to network problems ;) So I have a few small ASCII text network diagrams ready to explain things better than only writing the facts :) Just a faible - but a helpful one. It helps me understand problems and others explaining my faults in guessing the facts  ;D

So I'm glad it was helpful.
Greets
Grey

hoba

You have them "ready"? Great, you should post them somewhere so people can refere to it or copy and paste to describe things  :D

JeGr

I'll try to make a few for different setups :) Only have to think 'bout where to put them. Any hint?

analyzerx

I could uploaded them on my server with your name and stuff if you'd like… :)
Just contact me! :)