Port forwarding help needed

superman911

Hi
Hope someone can help me.
I am trying to access a webserver from the wan interface.
Here is my setup.
Internet connection ADSL:netgear router(ip range: 10.0.0.0)
WAN interface on pfsense is 10.0.0.10
LAN interface on pfsense is 192.168.0.253
webserver is 192.168.0.10

I have created a port forwarding rule on netgear router to forward all http(port 80) traffic to WAN interface on pfsense (10.0.0.10)

On WAN rules on pfsense i created a rule to forward all WAN Traffic to webserver(192.168.0.11) port 80
but cannot access website from outside the network.

Please help.
thanks

phil.davis

Give details of exactly what you did - hopefully Firewall->NAT, added a Port Forward and let it "Add associated filter rule".
That way it will add a rule for you to allow the incoming traffic on WAN to port 80, as well as forwarding it.

Derelict

Why do people always want to use two routers like this?  I just don't get it.

(OP, you also want to uncheck "Block private networks" on your pfSense WAN interface.)

Wolf666

You message has been moved to another topic

stephenw10

@Derelict:

Why do people always want to use two routers like this?

People don't set out deliberately to have double NAT. They have a working router and they want to try pfSense, the easiest way to do that is simply chain the routers as the OP has done. In my opinion this is the correct way to go about it - one step at a time. Trying to simultaneously introduce pfSense and set your router into some workable bridge mode is asking for trouble. For the most part double NAT works just fine, it's only when you start more complex config like port forwarding that things get tricky (or just don't work). I agree that you should always aim to have single NAT with your public IP on the pfSense WAN as the final configuration.

Anyway, yes, make sure you've unchecked 'block private networks' on the WAN interface since your WAN is in a private subnet.

Steve

Derelict

@stephenw10:

@Derelict:

Why do people always want to use two routers like this?

For the most part double NAT works just fine, it's only when you start more complex config like port forwarding that things get tricky (or just don't work). I agree that you should always aim to have single NAT with your public IP on the pfSense WAN as the final configuration.

You're right, of course.  I believe the time to ditch that old router is before adding things like port forwards.  You'll be doing triple the work.  (port forward on outside router, port forward on pfSense, hoping it works at all, then redoing it all when you get rid of the old router.)

stephenw10

Yep that's certainly what I would do. Often there are other factors though like the upstream router serving as a wifi access point also.

Steve

superman911

I have uncheck "Block private networks"
hope my rules is setup correctly…
attached is screenshots.


Derelict

Looks right.  Is it working?

If not, can you get at http://WAN address/ from something else on the 10.0.0.0 network?

stephenw10

Yep, looks right.
When you try to access the server from from some external address or from the wireless network what happens?
If it doesn't connect do you see anything in the firewall logs?

Steve

superman911

No it's not working.
it just gives me this page cannot be displayed.

but I can access the pfsense interface from the internet.
Will check logs when  I get home

johnpoz

While this would not be the issue its not working - why would you forward 80 UDP to it?  Clearly that is pointless.

Simple way to validate this is plug something into the 10 wan network here and try and access 10.0.0.10 on port 80.  Does that work - if so then its your other router or your ISP blocking it.

if that doesn't work - you sure you have the correct 192.168.0.x address - in your OP you state its IP is 192.168.0.10, but then you forward to 192.168.0.11??  Also is this webserver running a firewall?

stephenw10

I assume you have the pfSense webgui running on a non-standard port since 80 and 443 are forwarded?

Steve

superman911

I have connected another device to the 10.0.0.0 range and tested http://10.0.0.10/support and it is showing the website.

I also changed the pfSense webgui port to 444 and test I can access it on https://10.0.0.10:444 and from the internet https://Public IP:444

but still can't access the website from http://Public IP/support
I had to add a rule on WAN to access pfSense webgui from internet https://Public IP:444


stephenw10

@superman911:

I have connected another device to the 10.0.0.0 range and tested http://10.0.0.10/support and it is showing the website.

Ok, so if you can access it from the router LAN side (pfSense WAN side) then that implies the router is not forwarding the traffic correctly. What port is the router web interface running on? There may be a conflict though there shouldn't be. Clearly it's forwarding port 444 correctly.

You could try changing the port forward in the router to a different incoming port, say 8080. That should get around any block that's in place.

I forget if you already said but did this work before you added pfSense? It's fairly common for ISPs to block incoming port 80 to prevent people running home websevers.

Steve

superman911

I have changed port forwarding on router.
port 8080 to 10.0.0.10

on pfsense i changed the NAT destination port to 8080 and redirect it to 192.168.0.11 port 80

if I connect on the 10.0.0.0 range and test http://10.0.0.10:8080/support it works but still nothing from the internet.

and yes it was working on port 80 before I added pfsense

Derelict

Check all the default gateways.

Derelict

@superman911:

I have connected another device to the 10.0.0.0 range and tested http://10.0.0.10/support and it is showing the website.

I also changed the pfSense webgui port to 444 and test I can access it on https://10.0.0.10:444 and from the internet https://Public IP:444

but still can't access the website from http://Public IP/support
I had to add a rule on WAN to access pfSense webgui from internet https://Public IP:444

Rereading…  You also had to add a port forward to your outside router to 444 right?

stephenw10

Hmm. Have you checked the firewall logs yet?
The port forward is clearly working from the 10.0.0.0 subnet so why not when forwarded from a public IP?
Possibly the firewall rule allowing traffic in to the WAN is not allowing redirected traffic for some reason. That seems unlikely, I can't see anything in your firewall rule that might do that.
Possibly pfSense doesn't know how to route the traffic back out the client. That would explain why it works from the locally attached 10.0.0.0 subnet. However if that was the case I wouldn't expect the pfSense webgui access on 444 to work either.

Does the server have logging you can check? It could be the server isn't replying for some reason.

Steve

Klaws

In case you haven't noticed yet:

1. Traffic blocked by the default rule (in other words, traffic which matches no firewall rule) can be logged by selecting "Log packets blocked by the default rule" in "Status: System logs: Settings". Same for bogon and private subnets. This will of course also show any portscans and hack attempts.

2. For each firewall rule, logging can be enabled individually.

3. By clicking the icon on the "Act" column of the firewall log, you can see which rule was responsible for blocking or passing the traffic.