Dual WAN - Portforwarding Problems

tec

Hallo, I am running PF-Sense Rc2.
I have a somehow complicated setup. Maybe the following Picture can Help

The Linux Box is only doing VPNC Dialin to the University and doing 1:1 to the Wan2 Interface.
What I want to achieve is the following:
Normal Lan traffic goes to the Wan
Certain Traffic from some Lan-hosts is routed via Wan2
Cisco Traffic whic comes from the Lan is routed to the Universitygateway via the wireless link.

What I have done right now is
Enable Advanced Outbound Nat and Created the following Rules:
Interface Source
WAN  192.168.0.0/24
Wlan  192.168.0.0/24
Wlan  192.168.195.0/29
Wan2  192.168.0.0/24

Now the following things work:
connect with the Lan Clients via Wan to the Internet
client starts on his PC the Cisco Client he will be redirected to the Wlan link and goes into the University Network/Internet
Special Host is route via policy Based routing via the Wan2 Interface through the Linux Box and also goes into the University Network/Internet

If a make a Portforward form the Wan interface to the Lan it works.

If a make a Portforwarf from the Wan2 interface to Lan it doesnt work :(

I tried to Portforward Port 22 SSH from the Wan2 to the Host 192.168.0.33. Here is the rule which I made on Lan for policy based routing :
Lan
Proto Source       Port   Destination Port Gateway

• 192.168.0.33 *     *              * 192.168.196.2
  and the autocreated ones
  Wan2
  Proto     Source  Port   Destination Port       Gateway
  TCP/UDP * * 192.168.0.33 22 (SSH) *
  ICMP       *      *  192.168.196.1 *           *
  Nat Rule
  If       Proto           Ext. port range               NAT IP           Int. port range
  WAN2    TCP/UDP         22 (SSH)             192.168.0.33              22 (SSH)
                                                            (ext.: 192.168.196.1)

With this Setup I am not able to establish a SSH connection from an Outside Ip to host on the Lan. When I turn loggin on this rule on I get the following output but i am still not abel to connect to the SSH Server on 192.168.0.33
Time                     If     Source                     Destination     Proto
Sep 22 16:16:40 Wan2   84.58.134.196:52816 192.168.0.33:22 TCP

But it works fine if I connect from the Linux Box with the Ip 192.168.196.2 to the host 193.168.0.33 there i get the SSH connection. Is there anything what I forgot on the PFsense Side?

Regards Marco

hoba

Why do you need such a strange setup? The linux box most likely is sending out replys from the forwarded connections from the internet going through the pfSense out it's own WAN (it's default gateway). Try to make your setup less complex.

tec

Hi,
I need this strange setup because here in my student apartment-sharing community we have an ADSL Line from Arcor trough which we go online. Some weeks ago we noticed that we also have an Wlan Signal from the unsecured University Wlan. Therefore I installed a Yagi Antenna und put an Atheros Card in the PFsense. And made a rule for the Lan that if Someone wants to Connect to the "University-VPN-Gateway" he wil be redirected to the Wlan. This happens when you start the Cisco VPN Client. The advanteage of this is, that you get an IP from the University Network an you are able to access sites like Physical Revies and download the Papers for free. The Linux Box is, that I have 3 Computer where I dont want to log in with the Cisco Client because Windwos unsecured for a longer Time on the Inet is not a very good idea in my Mind.
The thing is, I get on through the Wlan 10Mbit as upload Speed, well a big difference compared to the 512 from Arcor.
I thing Pfsense had some things messed up, therefore I restarted from the begining, and everything is working. After some reboots.

The only differece right now is, that I dont have enable the "Advanced Outbound rules". Forwardings are working.Maybe you could clarify for me what exactly this "Advanced Outbound is for"

I also noticed one thing with the FTP on dual wan, when I was trying to find out what is going wrong I put a Static IP on WAN and I was also able to make from outside a connection to a Forwarded FTP Server. And also be able to connect via FTP throug OPT1 to an Inet FTP.

After I switched to PPoe on WAN and enabled the Traffic Shaper the FTP Helper redirected my my FTP Connections through Wan instead sending them thorugh Opt1

MAybe this is what you consider in your Faq with FTP does not work with Dual Wan

Regards

hoba

Advanced outbound NAT is if you have multiple IPs at WAN for example and want to map special machines or ports to use another IP than the default one for outbound traffic. It also can be used with CARP setups to use the virtual IP instead of the physical one of the machine.

The ftp-helper only works for the original WAN. This means ftp connections will always be made through WAN no matter what firewallrules you set. You can disable the ftp helper at all interfaces but this usually introduces nat/firewall problems. ftp doesn't work very well behind nats as it uses more than port 21 to transfer data.

tec

Ok I see,
only to get it right, for every LocalLanNetwork which I want to let out via WAN or Opt1 I need to make an entry. In my special case it would be:

If I enable Advanced Outbound Nat on my Setup I would get first de Default rule which I need to go from Lan (192.168.0.0./24 Lan Network)>Wan.

Then I must add the following rules:
add a rule for Lan (192.168.0.0./24 Lan Network)> WLAN-OptionalNetwork (Atheros Card on University Network) to Use the Cisco Client on an Lanhost
add a rule for Lan (192.168.0.0./24 Lan Network)> WAN2-OptionalNetwork (Linuxsbox , to send some special host out this way)
add a rule for Linuxboxout(192.168.195.0./24 Linuxboxout Network) > WLAN-OptionalNetwork (Atheros Card on University Network)

In Summary this would be 4 rules.

and if I want to Host a Counterstrike Source Dedicated Server I need to add another Outbound Map on the Inferace on which the Server is listening with the Static Port option ticked?

hoba

You are mixing things up a bit here.

1. NAT happens automatically for all Interfaces that have a Gateway unless you have enabled advanced outbound NAT.

2. If it's not a WAN but only another subnet like 192.168.0.0/24 you should add a static route instead of policybasedrouting.

3. Incoming NATs (like your counterstrike server) are handled by the portforward. These connections are stateful and won't be handled by the outgoing policybased rules.

rob_v

Hi,

I got a similair problem.

I got 2 wans and i want to route RDP from the OPT1 (WAN2) to a IP in the LAN.
When i do it from the WAN to a IP it works and when i use the WAN2 interface it doesn't work.

So can someone give a solution for this problem?
I don't understand the solution above.

Thank you.

Kind regard Rob

hoba

What gateway do you use for the firewall rule at your optwan? You should have it at "default".

rob_v

Overhere my info:

WAN= DHCP cable
WAN2= 192.168.1.1 (gateway) 192.168.1.4 (IP)
LAN = 10.10.0.1
PC = 10.10.0.20

Firewall rules:

LAN:

*  10.10.0.20  *  *  *  192.168.1.1  Default LAN -> any

WAN:

TCP/UDP  *  *  10.10.0.20  3389 (MS RDP)  *  NAT RDP laptop

WAN2:

TCP/UDP  *  *  10.10.0.20  3389 (MS RDP)  *  NAT RDP laptop

Firewall: NAT: Port Forward

WAN2  TCP/UDP  3389 (MS RDP)  10.10.0.20
(ext.: any)  3389 (MS RDP)  RDP laptop

WAN  TCP/UDP  3389 (MS RDP)  10.10.0.20
(ext.: any)  3389 (MS RDP)  RDP laptop

NAT Outbound:

I tryed:
IPSec

And advanced outbound NAT :

WAN2    10.10.0.0/24  *  *  *  *  *  NO Auto created rule for LAN   
WAN    10.10.0.0/24  *  *  *  *  *  NO Auto created rule for LAN

RDP works on WAN and not on WAN2

hoba

You have a router at your OPTWAN (private IP range). Make sure it actually is passing in the connection.

I just set up an RDP portforward at an OPTWAN to LAN at our office. Works without issues.

rob_v

I know that but i tryed to connect from that local network (without firewall / rules etc.)

Ps. when i switch OPT1 with WAN then it works… (i tryed that also)

cheech

I'm wandering if this can be done OK with pfsense too. Hoba suggests yes. I have a webserver that I need (temporarily at least) to be accessible from internet via either WAN connection. My first effort was with a commercial dual WAN router = no go (with the OPT connection up port forwarding on primary WAN stopped working!) Then I tried putting a 2nd nic in the server with 2 routers and that didn't work (I couldn't figure out how to get traffic to go out on the gateway matching incoming connection!) so I am hoping pfsense will work.

If I do this do this and create 2 X NAT portforwards for 80 > webserver one FROM OPT and one from WAN or just one rule with ANY and are there any other things I should watch out for? Thanks!