Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Firewall rules not working (SSH/HTTP)

    Scheduled Pinned Locked Moved Firewalling
    7 Posts 2 Posters 1.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      Blaze9
      last edited by

      Hey guys,

      I've setup a pfSense server on a station with 4 NICs. (wan, lan, opt1, opt2). My WAN is supplied by my university, and my WAN IP of the box is 10.147.2.10 (supplied by uni's DHCP). I'm trying to access the pfSense box from the WAN (from a machine "WS1" who has an IP of 10.147.4.110). I have created the following firewall rules:

      Action -> Pass
      Interface -> WAN
      TCP/IP -> IPv4
      Protocol -> TCP
      Source -> WAN Address
      Dest -> WAN Address
      Port Range -> 9090 (what I set the webUI server to use)

      I hit save and then apply. However when I try to access the webUI from WS1 I get a cannot load page, connection timed out.

      I also tried setting up remote SSH to the box with the same setup as before aside from the change of ports (9191 for example) but I can't SSH into the box either.

      I have a cluster of blades sitting on the LAN port, and I configured NAT forwarding for a few SSH servers on the blades. I can access those blades from WS1. But I can't SSH into pfSense…

      Can anyone help me out here? my LAN NAT rules are working perfectly. SSH/HTTP/SQL on the blade cluster are able to be accessed using the pfSense box's WAN ip from WS1, however I cannot access the pfSense HTTP/SSH servers from WAN at all. I can access pfSense HTTP/SSH from all 3 NICs (LAN/OPT1/OPT2).

      Thank you for your help.

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        Source should be any unless you want to allow connections only from 10.147.4.110, in which case source should be Single host or alias: 10.147.4.110

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • B
          Blaze9
          last edited by

          @Derelict:

          Source should be any unless you want to allow connections only from 10.147.4.110, in which case source should be Single host or alias: 10.147.4.110

          Sorry, yes, the source is the 10.147.4.110, not WAN address, that was a typo. I also set it to any, but still nothing.

          I went to the firewall log, and added the pass rule from there, didn't do anything either. Under firewall log, if I click the info button for the attempted connection, it says cannot resolve under the WAN ip of the pfSense box.

          From LAN, OPT1 and OPT2 I can access the webUI using the WAN IP of the box "10.147.2.177", but from outside the LANs I still can't.

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            Are you sure this isn't some isolation or filtering done on the "WAN" network?

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • B
              Blaze9
              last edited by

              What do you mean by isolation or filtering? Do you mean that the university is blocking access? I don't think that's the case because I am able to access the blade cluster sitting behind the pfSense box using the WAN IP of the pfSense box from WS1.

              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by

                Filtering on the "WAN" that prevents clients on the same network from communicating.

                Do you have Block private netwoeks disabled on WAN?

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • B
                  Blaze9
                  last edited by

                  @Derelict:

                  Filtering on the "WAN" that prevents clients on the same network from communicating.

                  Do you have Block private netwoeks disabled on WAN?

                  DOH! So simple. Thank you so much!!!

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.