Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Rule not honored - "pseudo-DMZ" -> LAN

    Scheduled Pinned Locked Moved NAT
    3 Posts 2 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F Offline
      freakalad
      last edited by

      I have one of those crappy all-in-1 DSL-VoIP-AP devices provided by my ISP that I use for my 'net connection.

      I've se it up to keep the connection up & to provide my guests with "public" wifi & set up NAT to forward inbound connections - 22, 25, 443, 993, all the usual suspects - to my firewall to handle in a better manner.

      For my pfSense:
      WAN: 10.0.0.254/20
      LAN: 192.168.1.254/24

      Works well for the most part.
      So, what I'm seeing when a mobile tries to connect to mail.mydomain.tld from outside (3G, HSDPA, etc) I can see the connection coming in & NAT'ed fine through to the local server. sweet!

      What's weird is that when I see the same device connected on the guest AP, the DNS resolution to mail.mydomain.tld still resolves to my external static IP OK, but when the connection comes in, is blocked by my firewall.

      I've tried adding the firewall rule using the [EasyRule] shortcut on the firewall logs page, and even tried being a little more liberal in indicating that I'm willing to accept ANY oncoming connection targeting :443 or :25 & NAT that through, but the Rules simply does not honor the exception.

      I think I'm missing something somewhere - so any help would be great, please

      1 Reply Last reply Reply Quote 0
      • D Offline
        doktornotor Banned
        last edited by

        You need NAT reflection enabled. (As a side note, the double NAT does not do any good, you really should reconfigure the DSL junk as bridge only and put public IP/PPPoE on the pfSense).

        1 Reply Last reply Reply Quote 0
        • F Offline
          freakalad
          last edited by

          Thanks for the pro-tip.
          Enable NAT reflection on the WAN, or on the NAT/rule itself?
          I've tried the latter, with no effect, butI'll try it again.

          Unfortunately the crappy router does not support PPPoE - that would've been my own preference - let the "modem" only do the connection & have my pfSense to the routing & firewall work.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.