Access wireless AP on the Lan side from internet
-
It doesn't explain why it didn't work at port 24000 though. Or that I could see in the logs traffic being correctly forwarded in pfSense. :-\
Steve
-
Upnp disabled but still can't loggin.
-
I don't know why it wouldn't of worked on 24000, unless he didn't change his AP to that port? He had some bad state on his pfsense for that port? Or his router in front of his pfsense - with ports above 1024 on a nat box handling multiple machines it looks like - its quite possible there was a state already for 24000.
From his UPnP he is running torrents, so those are going to create lots and lots of connections.. So you have no idea how many states are already in play. So say his router had a state where 24000 source on its wan. And then some other connection came in for that - what would it do? Would it not allow the connection because not same IP as the state, or would it forward to send it on through - depends on what type of nat that router was set for.
Double NAT not good idea - you can have all kinds of weird shit happen ;)
-
Read my above posts about states! And nats!
-
What about my Wlan AP Network settings(see picture in previous post)?
-
Dude you got some really funked up settings.. Why are you cloning to this mac on your wan of that router 00-21-00-0E-E1-55, and what does that match up with?
Why do you have target settings? for something? From the dhcp log – you have pfsense wan on dhcp, and there are other devices on this 192.168.11 network as well..
I did not see anywhere a place to clear the states on your router -- I would reboot it. This will make sure your states are clear on it, and then we can try and access and verify that the 20000 port hits the pfsense even if not working, etc.
-
i did mac binding so my pfsense box always gets the same ip
and i will reboot my router now
-
It looks like it's definitely getting through pfSense but not back again to me.
For example look at the attched state table. You can see myself connected to the pfSense webgui and trying to connect to the AP.
It's clearly opening states to do it.Steve
-
mac binding?? That is not cloning which is what I saw you had - that has nothing to do with getting the same IP from a dhcp reservation.
Also – you clearly had looks like utorrent traffic going to both ports 24000 and 20000
Jun 22 22:58:46 WAN 79.112.184.127:59451 192.168.11.17:20000 UDP
block
Jun 22 22:58:53 WAN 178.75.95.24:24780 192.168.11.17:20000 UDP
block
Jun 22 22:58:53 WAN 95.65.56.78:42209 192.168.11.17:24000 UDP
block
Jun 22 22:58:55 WAN 114.203.243.49:32177 192.168.11.17:24000 UDP
block
Jun 22 22:58:56 WAN 177.9.61.145:19731 192.168.11.17:24000 UDP
block
Jun 22 22:58:56 WAN 202.161.233.70:12395 192.168.11.17:24000 UDP
block
Jun 22 22:58:56 WAN 62.43.135.1:15937 192.168.11.17:24000 UDP
block
Jun 22 22:58:58 WAN 194.144.80.242:39754 192.168.11.17:24000 UDP
block
Jun 22 22:58:59 WAN 82.159.1.187:42846 192.168.11.17:24000 UDP
block
Jun 22 22:58:59 WAN 178.75.95.24:24780 192.168.11.17:20000 UDP
block
Jun 22 22:59:00 WAN 194.144.80.242:39754 192.168.11.17:24000 UDP -
What I would suggest you do is take this router out of the picture all together?
Why do you have it in front of pfsense - which I can assure you is a much more feature rich/robust router/firewall that that tp-link soho box.
If you want to use the tp for ports, sure it can be a dump switch/ap just fine - there is little reason to have it NATing your public internet connection to private, just to do it again with pfsense.
At a loss to why anyone does this??
-
You can change everything you want in my router and my pfsense to get this working.
Please make sure who tries it first.
I'm going to sleep know and hope when i wake up everthing is working fine.
Thx both of you for your help
-
You can change everything you want in my router and my pfsense to get this working.
Please make sure who tries it first.
I'm going to sleep know and hope when i wake up everthing is working fine.
Thx both of you for your help
If they change your router settings it might be the case they can't finish up the change and you're out of connection without help
-
why i use this setup????
It's for a hotspot setup for a friend.
The easiest way is to put a utp cable from his router to a pfsensePC and leave his own network the way it is (so we won't mess things up)
And i will be able to login from my home if it's needed (my friend lives 300 Km from my place).
For example: Create vouchers, how many clients are connected to the WLAN AP, etc -
Hi Metu,
I'm not a noob on routers. (only routing,Nat,etc)
So if they mess things up i can fix this, no problem.So please try and if they mess things up it's not a problem.
-
A very useful test here would be to try to connect to the AP from the routers LAN network.
You should be able to connect to it on 192.168.11.17:20000 is portforwarding is working correctly.There is some strange behaviour here that doesn't make much sense. It could be a double NAT problem.
Steve
-
That is not working but:
https://192.168.11.17:18474 gets me to pfsense login page
-
"It's for a hotspot setup for a friend."
"The easiest way is to put a utp cable from his router to a pfsensePC "
No I would not say that at all – the EASIEST way is to set it up correctly, and sorry a double nat is never correctly ;)
Use pfsense as the nat/gateway/firewall and then setup a segment for whatever you want to do with his hotspot, and then a segment for his network. This is completely isolated and you get the power and feature set of pfsense to control everything.
This is much easier than dicking with soho hardware like a tp-link home router as your gateway doing NAT, and then running through pfsense as another NAT, etc..
edit: btw either you changed IPs, change ports for your interfaces or someone crashed it? But I show both router and pfsense do not answer on the info you sent me before that i had gotten in with.
-
OK - FIXED!
Your CAPTIVE PORTAL is what was blocking the access!!! So I disabled it
Again what your trying to do is NOT!!! The best way to go about it!!
edit: Ok I setup Mac address of your AP to be bypassed from captive portal, so this gets it working with the captive portal enabled.
Again – how your trying to go about this is NOT the right way! Get rid of the double nat, and use pfsense as your gateway and then segment your friends network from whatever you want to do with that AP, etc..
edit2: btw I disabled your one lan rule you had setup to do some sort of limiting? Before the captive portal dawned on me, I thought maybe that might of been causing some problems.
-
Hmm Captive portal you say.
Nice catch. :)
That hadn't occurred to me.Case solved then. At last. ::)
You can remove logging from the firewall rule if you wish.
The take away message from this, as is almost always the case, is always do things one step at a time.
Steve
-
yeah he mentioned setting up a hotspot a couple of times - but still hadn't clicked in.
So woke in the middle of the night last night, was just reading some reddit/email/etc cuz couldn't sleep and noticed he PM'd his new IP. So was taking a look see, thought shoot will setup a vpn connection and try that. I was seeing my hits in the log, even did a capture on his pfsense lan interface and yup saw the syn and the syn/ack back.
So why wasn't my box seeing it? I didn't see it blocked in the lan rules - then "hotspot" clicked and noticed the captive portal widget with nobody authed/allowed/etc.
