How to route between 2 LANs?
-
finally got it t work, I have my server on NIC#2 connected to VPN and everything else connected to NIC#1 straight to my ISP
see attached screenshots (8.png and 9.png)
last thing I noticed after getting my plex resolved is I am not able to access my webpage from the internet. I use XAMP port 8080 , and before using PfSense I had my store router set to port forward port 80 to my LAN IP 192.168.0.20 port 8080 and it worked fine.
See screenshot (10.png) I have firewall rule for WAN to forward and destination port 80 (http) packets to AIRVPN_LAN IP 192.168.123.20 (my server) port 8080
but it doesn't work, I keep getting my PfSense login page when I try my domain from the internet
-
First, Destination Address in your port forwards should not be any, but the appropriate interface address or VIP.
Second, pfSense is listening on port 80. Set it to HTTPS only and disable the port 80 redirect.
 -
Still doesn't work, but at least I'm no longer getting the Pfsense login.
-
Nobody said anything about setting a source port.
-
removed source ports, still not reaching my server
-
Post again. This stuff just works.
Look at EVERYTHING on this list:
https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting
-
I don't have any other issues port forwarding as you can see my Plex and utorrent port forwards are working fine
I have no firewall on my server and windows firewall is turned off.
localhost:8080 displays my webpage so my server is running fine
-
OK don't listen. Not my network to fix.
-
Do you have a corresponding firewall rule on your WAN? If you selected the appropriate filter rule association when you created the port forward, one should have been created automatically.
Action: Pass Interface: WAN TCP/IP Version: IPv4 Source: Any Port: Any Destination: 192.168.123.20Have you tried using the squid reverse proxy instead of a port forward?
-
I checked and see screenshot, it appears I do have the rule. I don't have squid installed
-
Also on the list is detailing packet captures. I would packet capture on LAN limiting to ip address 192.168.123.20 on that LAN interface, test a connection from outside, and see what you see. I'll bet you see the connection SYN going out LAN and nothing coming back.
-
I tried packet capture and one other step.
Packet capture, see attached, showed nothing except the pfsense connection , nothing on port 80 or 8080
I then shutdown the pfsense and removed it from my network. I connected back my old router and fired it up. I tested my website http://threebeesandme.com and it was displayed with no issues. (this was using my cell phone with wifi turned off, cell network only) so that proved godaddy is directing the requests to the correct IP and my server is responding correctly, the culprit is pfsense but I am lost here.
-
Weird, tried again and it's working now from the internet (www.threebeesandme.com)
But doesn't work from LAN 192.168.0.1/24 or from VPN_LAN 192.169.123.0/24 very strange
-
It is not very strange. It is completely expected. Implement split DNS so your internal hosts connect to an internal IP address.
-
Actually I think it is very strange that from the public internet I could not reach my web server before I did a packet capture. Then directly after a packet capture I can, when absolutely no changes were made on pfsense. That is the strange part I am referring too
How exactly do I implement split DNS while insuring the 192.168.123.0/24 clients do not leak dns on the other 192.168.0.0/24 subnet?
-
Why do you care if DNS leaks to the other subnet? WTF are you worried about exactly?
Say you have external, global DNS that has an A record of 65.65.65.65 for www.mycoolsite.com. Your internal DNS has an A record of 192.168.123.20 for www.mycoolsite.com.
You want ALL internal (Not NAT) hosts to get 192.168.123.20 when they ask for the address of www.mycoolsite.com. You want all external hosts to get 65.65.65.65.
Whether or not the users on 192.168.0.0/24 can access the services on 192.168.123.20 is handled by firewall rules on the 192.168.0.0/24 interface, not DNS.
If you REALLY want to make DNS answers different for clients on 192.168.0.0/24 and 192.168.123.0/24 you are probably looking at BIND and views. I, personally, would use a VM for that, not the BIND package, but people tend to contract a brain virus that makes them try to make pfSense do absolutely everything.
If you stop blaming pfSense you might get your network configured properly. This stuff just works when you do it right. It doesn't pass traffic one minute but not another just because it feels like it - something was changed.
