Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Port forwarding help needed

    Scheduled Pinned Locked Moved General pfSense Questions
    20 Posts 7 Posters 3.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S Offline
      superman911
      last edited by

      Hi
      Hope someone can help me.
      I am trying to access a webserver from the wan interface.
      Here is my setup.
      Internet connection ADSL:netgear router(ip range: 10.0.0.0)
      WAN interface on pfsense is 10.0.0.10
      LAN interface on pfsense is 192.168.0.253
      webserver is 192.168.0.10

      I have created a port forwarding rule on netgear router to forward all http(port 80) traffic to WAN interface on pfsense (10.0.0.10)

      On WAN rules on pfsense i created a rule to forward all WAN Traffic to webserver(192.168.0.11) port 80
      but cannot access website from outside the network.

      Please help.
      thanks

      1 Reply Last reply Reply Quote 0
      • P Offline
        phil.davis
        last edited by

        Give details of exactly what you did - hopefully Firewall->NAT, added a Port Forward and let it "Add associated filter rule".
        That way it will add a rule for you to allow the incoming traffic on WAN to port 80, as well as forwarding it.

        As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
        If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

        1 Reply Last reply Reply Quote 0
        • DerelictD Offline
          Derelict LAYER 8 Netgate
          last edited by

          Why do people always want to use two routers like this?  I just don't get it.

          (OP, you also want to uncheck "Block private networks" on your pfSense WAN interface.)

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • W Offline
            Wolf666
            last edited by

            You message has been moved to another topic

            Modem Draytek Vigor 130
            pfSense 2.4 Supermicro A1SRi-2558 - 8GB ECC RAM - Intel S3500 SSD 80GB - M350 Case
            Switch Cisco SG350-10
            AP Netgear R7000 (Stock FW)
            HTPC Intel NUC5i3RYH
            NAS Synology DS1515+
            NAS Synology DS213+

            1 Reply Last reply Reply Quote 0
            • stephenw10S Offline
              stephenw10 Netgate Administrator
              last edited by

              @Derelict:

              Why do people always want to use two routers like this?

              People don't set out deliberately to have double NAT. They have a working router and they want to try pfSense, the easiest way to do that is simply chain the routers as the OP has done. In my opinion this is the correct way to go about it - one step at a time. Trying to simultaneously introduce pfSense and set your router into some workable bridge mode is asking for trouble. For the most part double NAT works just fine, it's only when you start more complex config like port forwarding that things get tricky (or just don't work). I agree that you should always aim to have single NAT with your public IP on the pfSense WAN as the final configuration.

              Anyway, yes, make sure you've unchecked 'block private networks' on the WAN interface since your WAN is in a private subnet.

              Steve

              1 Reply Last reply Reply Quote 0
              • DerelictD Offline
                Derelict LAYER 8 Netgate
                last edited by

                @stephenw10:

                @Derelict:

                Why do people always want to use two routers like this?

                For the most part double NAT works just fine, it's only when you start more complex config like port forwarding that things get tricky (or just don't work). I agree that you should always aim to have single NAT with your public IP on the pfSense WAN as the final configuration.

                You're right, of course.  I believe the time to ditch that old router is before adding things like port forwards.  You'll be doing triple the work.  (port forward on outside router, port forward on pfSense, hoping it works at all, then redoing it all when you get rid of the old router.)

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • stephenw10S Offline
                  stephenw10 Netgate Administrator
                  last edited by

                  Yep that's certainly what I would do. Often there are other factors though like the upstream router serving as a wifi access point also.

                  Steve

                  1 Reply Last reply Reply Quote 0
                  • S Offline
                    superman911
                    last edited by

                    I have uncheck "Block private networks"
                    hope my rules is setup correctly…
                    attached is screenshots.

                    ![Port forwarding on Router.PNG](/public/imported_attachments/1/Port forwarding on Router.PNG)
                    ![Port forwarding on Router.PNG_thumb](/public/imported_attachments/1/Port forwarding on Router.PNG_thumb)
                    ![NAT Rules.PNG](/public/imported_attachments/1/NAT Rules.PNG)
                    ![NAT Rules.PNG_thumb](/public/imported_attachments/1/NAT Rules.PNG_thumb)
                    ![firewall rule.PNG](/public/imported_attachments/1/firewall rule.PNG)
                    ![firewall rule.PNG_thumb](/public/imported_attachments/1/firewall rule.PNG_thumb)

                    1 Reply Last reply Reply Quote 0
                    • DerelictD Offline
                      Derelict LAYER 8 Netgate
                      last edited by

                      Looks right.  Is it working?

                      If not, can you get at http://WAN address/ from something else on the 10.0.0.0 network?

                      Chattanooga, Tennessee, USA
                      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                      1 Reply Last reply Reply Quote 0
                      • stephenw10S Offline
                        stephenw10 Netgate Administrator
                        last edited by

                        Yep, looks right.
                        When you try to access the server from from some external address or from the wireless network what happens?
                        If it doesn't connect do you see anything in the firewall logs?

                        Steve

                        1 Reply Last reply Reply Quote 0
                        • S Offline
                          superman911
                          last edited by

                          No it's not working.
                          it just gives me this page cannot be displayed.

                          but I can access the pfsense interface from the internet.
                          Will check logs when  I get home

                          1 Reply Last reply Reply Quote 0
                          • johnpozJ Offline
                            johnpoz LAYER 8 Global Moderator
                            last edited by

                            While this would not be the issue its not working - why would you forward 80 UDP to it?  Clearly that is pointless.

                            Simple way to validate this is plug something into the 10 wan network here and try and access 10.0.0.10 on port 80.  Does that work - if so then its your other router or your ISP blocking it.

                            if that doesn't work - you sure you have the correct 192.168.0.x address - in your OP you state its IP is 192.168.0.10, but then you forward to 192.168.0.11??  Also is this webserver running a firewall?

                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                            If you get confused: Listen to the Music Play
                            Please don't Chat/PM me for help, unless mod related
                            SG-4860 25.07 | Lab VMs 2.8, 25.07

                            1 Reply Last reply Reply Quote 0
                            • stephenw10S Offline
                              stephenw10 Netgate Administrator
                              last edited by

                              I assume you have the pfSense webgui running on a non-standard port since 80 and 443 are forwarded?

                              Steve

                              1 Reply Last reply Reply Quote 0
                              • S Offline
                                superman911
                                last edited by

                                I have connected another device to the 10.0.0.0 range and tested http://10.0.0.10/support and it is showing the website.

                                I also changed the pfSense webgui port to 444 and test I can access it on https://10.0.0.10:444 and from the internet https://Public IP:444

                                but still can't access the website from http://Public IP/support
                                I had to add a rule on WAN to access pfSense webgui from internet https://Public IP:444

                                ![NAT Rules.PNG](/public/imported_attachments/1/NAT Rules.PNG)
                                ![NAT Rules.PNG_thumb](/public/imported_attachments/1/NAT Rules.PNG_thumb)
                                ![firewall rule.PNG](/public/imported_attachments/1/firewall rule.PNG)
                                ![firewall rule.PNG_thumb](/public/imported_attachments/1/firewall rule.PNG_thumb)
                                ![Port forwarding on Router.PNG](/public/imported_attachments/1/Port forwarding on Router.PNG)
                                ![Port forwarding on Router.PNG_thumb](/public/imported_attachments/1/Port forwarding on Router.PNG_thumb)

                                1 Reply Last reply Reply Quote 0
                                • stephenw10S Offline
                                  stephenw10 Netgate Administrator
                                  last edited by

                                  @superman911:

                                  I have connected another device to the 10.0.0.0 range and tested http://10.0.0.10/support and it is showing the website.

                                  Ok, so if you can access it from the router LAN side (pfSense WAN side) then that implies the router is not forwarding the traffic correctly. What port is the router web interface running on? There may be a conflict though there shouldn't be. Clearly it's forwarding port 444 correctly.

                                  You could try changing the port forward in the router to a different incoming port, say 8080. That should get around any block that's in place.

                                  I forget if you already said but did this work before you added pfSense? It's fairly common for ISPs to block incoming port 80 to prevent people running home websevers.

                                  Steve

                                  1 Reply Last reply Reply Quote 0
                                  • S Offline
                                    superman911
                                    last edited by

                                    I have changed port forwarding on router.
                                    port 8080 to 10.0.0.10

                                    on pfsense i changed the NAT destination port to 8080 and redirect it to 192.168.0.11 port 80

                                    if I connect on the 10.0.0.0 range and test http://10.0.0.10:8080/support it works but still nothing from the internet.

                                    and yes it was working on port 80 before I added pfsense

                                    1 Reply Last reply Reply Quote 0
                                    • DerelictD Offline
                                      Derelict LAYER 8 Netgate
                                      last edited by

                                      Check all the default gateways.

                                      Chattanooga, Tennessee, USA
                                      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                      1 Reply Last reply Reply Quote 0
                                      • DerelictD Offline
                                        Derelict LAYER 8 Netgate
                                        last edited by

                                        @superman911:

                                        I have connected another device to the 10.0.0.0 range and tested http://10.0.0.10/support and it is showing the website.

                                        I also changed the pfSense webgui port to 444 and test I can access it on https://10.0.0.10:444 and from the internet https://Public IP:444

                                        but still can't access the website from http://Public IP/support
                                        I had to add a rule on WAN to access pfSense webgui from internet https://Public IP:444

                                        Rereading…  You also had to add a port forward to your outside router to 444 right?

                                        Chattanooga, Tennessee, USA
                                        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                                        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                                        Do Not Chat For Help! NO_WAN_EGRESS(TM)

                                        1 Reply Last reply Reply Quote 0
                                        • stephenw10S Offline
                                          stephenw10 Netgate Administrator
                                          last edited by

                                          Hmm. Have you checked the firewall logs yet?
                                          The port forward is clearly working from the 10.0.0.0 subnet so why not when forwarded from a public IP?
                                          Possibly the firewall rule allowing traffic in to the WAN is not allowing redirected traffic for some reason. That seems unlikely, I can't see anything in your firewall rule that might do that.
                                          Possibly pfSense doesn't know how to route the traffic back out the client. That would explain why it works from the locally attached 10.0.0.0 subnet. However if that was the case I wouldn't expect the pfSense webgui access on 444 to work either.

                                          Does the server have logging you can check? It could be the server isn't replying for some reason.

                                          Steve

                                          1 Reply Last reply Reply Quote 0
                                          • K Offline
                                            Klaws
                                            last edited by

                                            In case you haven't noticed yet:

                                            1. Traffic blocked by the default rule (in other words, traffic which matches no firewall rule) can be logged by selecting "Log packets blocked by the default rule" in "Status: System logs: Settings". Same for bogon and private subnets. This will of course also show any portscans and hack attempts.

                                            2. For each firewall rule, logging can be enabled individually.

                                            3. By clicking the icon on the "Act" column of the firewall log, you can see which rule was responsible for blocking or passing the traffic.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.