PfSense won't forward traffic form LAN server to internet
-
Could you try to take a screenshot?
Yes, but of what?
You are saying you can't port forward from the internet to the host, but it should be the other way arround so you are port forwarding your server to the wan interface :)
Well, I need my server on the LAN to be accessible from WAN. Sorry for the confusion.
-
When you look at the 80 NAT rule, you do NOT have a firewall rule associated with that. WHY?
-
Check your firewall logs.
-
@doktornotor,
Good point. I set it up,
http://i.imgur.com/0LrJCzv.png
but the problem persists.@EMWEE,
In the firewall logs, I can see nothing relevent, ie related to port :80, or the external IP I am trying to access the webserver from. -
Move it above the block all rule and then its fine.
-
Move it above the block all rule and then its fine.
I don't think I have a block all rule. And if you mean "RFC 1918 networks" and "Reserved/not assigned by IANA", then it is not possible.
-
Do you have an outbound nat rule in place that seperate subnet?
-
Do you have an outbound nat rule in place that seperate subnet?
http://i.imgur.com/L5FrSeb.png
Is that it? -
Move it above the block all rule and then its fine.
I don't think I have a block all rule. And if you mean "RFC 1918 networks" and "Reserved/not assigned by IANA", then it is not possible.
You can try unchecking the box “Block private networks” on the screen Interfaces WAN (at the bottom) and see if that solves your problem.
-
You can try unchecking the box “Block private networks” on the screen Interfaces WAN (at the bottom) and see if that solves your problem.
That's one of those things I tried and forgot to mention :(
-
Perhaps you could finally look at the firewall logs?!?!?
-
Nope…
It looks like this...
Menu -> Firewall -> NAT -> Outbound
-
Perhaps you could finally look at the firewall logs?!?!?
What am I looking for? I already said I could see nothing related to the IP I am accessing the web server from.
Nope…
It looks like this...
Menu -> Firewall -> NAT -> Outbound
That's what I have:
http://i.imgur.com/fWWY3XA.png -
You can try unchecking the box “Block private networks” on the screen Interfaces WAN (at the bottom) and see if that solves your problem.
That's one of those things I tried and forgot to mention :(
But the screen shot of the firewall rules shows Block private networks is in effect. I am confused.
-
But the screen shot of the firewall rules shows Block private networks is in effect. I am confused.
Because I re-enabled it after I found out it did not change anything. Anyway, now I have it disabled again.
-
★ My setup:
Host (ArchLinux, nanoBox):
Physical interfaces: with eth0 (no ip) and wlan0 (hostapd).
Virtual interfaces: br0 (static IP 192.168.7.2 assigned with netctl profile)Guest (pfSense inside KVM):
Guest interfaces:
vtnet0 - bridged to eth0
vtnet1 - bridged to br0 (192.168.7.1)My Host is also a web sever. I do not know if this is good practice, but br0 is the interface which which host services connect to internet.
Does this mean pfsense WAN interface is assigned to vtnet1, has a static ip of 192.168.7.1 and pfsense LAN interface is assigned to vtnet0?
-
Does this mean pfsense WAN interface is assigned to vtnet1, has a static ip of 192.168.7.1 and pfsense LAN interface is assigned to vtnet0?
No, the other way around:
eth0-WAN-85.x.x.x-vtnet0
br0-LAN-192.168.7.1-vtnet1 -
Does this mean pfsense WAN interface is assigned to vtnet1, has a static ip of 192.168.7.1 and pfsense LAN interface is assigned to vtnet0?
No, the other way around:
eth0-WAN-85.x.x.x-vtnet0
br0-LAN-192.168.7.1-vtnet1Does 192.168.7.2 have 192.168.7.1 as gateway? I am guessing not because it has internet with pfsense in shutdown.
-
Does 192.168.7.2 have 192.168.7.1 as gateway?
Yes.
@gjaltemba:I am guessing not because it has internet with pfsense in shutdown.
No, it doesn't. It only has LAN if I set br0 to static IP. I can then connect to it with my laptop (also with static IP) which connects to hostapd (bridged with br0).
-
…
Well, I need my server on the LAN to be accessible from WAN.Test approach: simplify your config, exclude your reliance on aliases & name(s).
You need probably:
[Firewall: NAT: Port Forward] with a rule like:
WAN TCP * * WAN address 80 192.168.x.y 80