SOLVED : accessing internal network from wan side
-
Do you see the blocked traffic at status>systemlogs, firewall? If yes your rules are not correct. If no something in front of you allready is filtering the traffic.
-
i see a lot of blocked rules /IP
the actual rule i have now on WAN interface is
Intergace : WAN
Source : Any
Destination : LAN subnetWhat should i change ?
pfsense WAN IP : 134.214.116.244
VIP : 134.214.116.30
NAT 1:1 : 134.214.116.30 to internal IP : 192.168.10.200 -
now and after a reboot, only the WAN IP adress is pingeable from outside but not Virtual IPs.
system log show that ping requests are blocked at wan side
rules
Interface : WAN
Source : Any
Destination : 134.214.116.30and
Interface : WAN
Source : Any
Destination : WAN adressprotocol : Any in both cases
-
What version are you running? Sounds like 1.0 which had a rule apply bug under some circumstances. I recommend upgrading.
-
I am running the 27-02- Snapshot.
I am sure that it is a firewall problem because I see in syslogs that ping to my VIP are blocked… -
Btw, we do not redirect protocol ICMP, so this won't be natted. In case you want to make the VIP pingable you have to use type CARP (currently the only virtual IP that allows for ICMP) and add an firewall rule at WAN for protocol ICMP, source any, destination virtual WAN IP.
-
that is exactely what i have done but with Proxy ARP.
if i move to crap, I get this error message :
Sorry, we could not locate an interface with a matching subnet for 134.214.116.30/32. Please add an ip in this subnet on a real interface -
CARP IPs have to use the real interfaces subnet, not /32.
-
the same message :
Sorry, we could not locate an interface with a matching subnet for 134.214.116.30/22. Please add an ip in this subnet on a real interfacenote that on wan i use 134.214.116.x/22 subnet and on lan side : 192.168.10.x/24
-
Is your WAN VIP part of the original WAN subnet? If not CARP won't be an option here.
-
yes
my main internet IP adress is 134.214.116.244 /22 … in the same range -
so ? it is a bugg ?
-
I don't have the possibility to test atm. It used to work.
-
i moved my LAN network from 192.168.10.0/24 to 134.214.0.0/22
now i can use CRAP for virtual IP but i still cannot ping VIP from outside.
but now i can ping them from pfsense LAN side …. strange !!
looks like NAT 1:1 working in 1 way
-
ICMP is not natted You have to allow icmp to your wan vip. Btw, it's CARP and not CRAP ;)
-
already done, but still not working
-
hi,
I have downgrade to 1.0.1 release (29 october) and i have configured again CARP VIP, NAT and Rules … and it works ! I can ping VIP from outside.
i have add 3 others nated VIP, and reboot... now it dosen't work again and impossible to get it working !
firewall logs dosen't show any blocked ICMP to VIP or nated IPStrange !! ?
-
I am using now 15/03 snapshot … and VIP are not pingeable from outside !!
-
It works now with the latest snapshot (23-03-2007) !!
but any chance to have a NAT 1:1 with apple talk compatibility ?