Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Port Forward to WAN on internal address?

    Scheduled Pinned Locked Moved NAT
    15 Posts 3 Posters 5.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • KOMK
      KOM
      last edited by

      Did you uncheck the Block private networks and Block bogon networks in the WAN Interface details?  You have a complimentary firewall rule for each NAT rule you have added?

      1 Reply Last reply Reply Quote 0
      • C
        celtica
        last edited by

        I did uncheck block private networks, I'll believe I still have Block Bogon checked though. I will try unchecking it.

        Yes, I have the rules as well - at work now, but will post what they list as later on.

        1 Reply Last reply Reply Quote 0
        • KOMK
          KOM
          last edited by

          I believe there may be some overlap between private nets and bogons, so unchecking both would be best to test.  Otherwise, please post screenshots of your NAT rules and WAN firewall rules.  Obscure any public IP space before you post them.

          1 Reply Last reply Reply Quote 0
          • C
            celtica
            last edited by

            Unchecked both private and bogon: stiill can't get through.  :(

            Screenshots are attached.

            SNAG-16012217392800.png
            SNAG-16012217392800.png_thumb
            SNAG-16012217411300.png
            SNAG-16012217411300.png_thumb

            1 Reply Last reply Reply Quote 0
            • DerelictD
              Derelict LAYER 8 Netgate
              last edited by

              went through everything in that link, multiple times

              The port forward must be done on your ISP router and pfSense.

              Item #8 in Common Problems

              Better yet is to put your ISP router in bridge mode.

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • C
                celtica
                last edited by

                Talked to my ISP earlier - they were forwarding port 3389 and 22, and have now opened all of the ports (except for 25 and 80) - I am going to ask about bridged mode. The funny thing is I can unplug the pfsense pc and put my old dlink wireless router on and it works fine.

                1 Reply Last reply Reply Quote 0
                • DerelictD
                  Derelict LAYER 8 Netgate
                  last edited by

                  Packet capture on WAN will show the connections coming in if the ISP modem is forwarding the traffic like they say they are.

                  You can easily filter for only the outside IP address you are testing from or just, say port 22.

                  Chattanooga, Tennessee, USA
                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                  1 Reply Last reply Reply Quote 0
                  • C
                    celtica
                    last edited by

                    So I talked to my ISP, asked them to put their modem into Bridge mode, they did.

                    Still not getting through. Ran a packet capture on both 3389 and 22, with the IP from where I was connecting from and with no IP…no traffic seems to be getting through. I then ran the capture with no IP or Port entered and it appears some traffic is flowing:

                    20:16:40.768733 IP 74.125.156.54.443 > 192.168.20.33.19055: tcp 1348
                    20:16:40.768843 IP 74.125.156.54.443 > 192.168.20.33.19055: tcp 1348
                    20:16:40.768958 IP 74.125.156.54.443 > 192.168.20.33.19055: tcp 1348
                    20:16:40.773032 IP 192.168.20.33.19055 > 74.125.156.54.443: tcp 0
                    20:16:40.773040 IP 192.168.20.33.19055 > 74.125.156.54.443: tcp 0
                    20:16:40.773047 IP 192.168.20.33.19055 > 74.125.156.54.443: tcp 0
                    20:16:40.773676 IP 74.125.156.54.443 > 192.168.20.33.19055: tcp 1348
                    20:16:40.773791 IP 74.125.156.54.443 > 192.168.20.33.19055: tcp 1348
                    20:16:40.776783 IP 192.168.20.33.19055 > 74.125.156.54.443: tcp 0
                    20:16:40.776906 IP 192.168.20.33.19055 > 74.125.156.54.443: tcp 0
                    20:16:40.778504 IP 74.125.156.54.443 > 192.168.20.33.19055: tcp 1348
                    20:16:40.778520 IP 162.208.20.242.80 > 192.168.20.33.52620: tcp 0
                    20:16:40.778907 IP 192.168.20.33.52620 > 162.208.20.242.80: tcp 783
                    20:16:40.783730 IP 74.125.156.54.443 > 192.168.20.33.19055: tcp 1348
                    20:16:40.787775 IP 192.168.20.33.19055 > 74.125.156.54.443: tcp 0
                    20:16:40.788566 IP 74.125.156.54.443 > 192.168.20.33.19055: tcp 1348

                    1 Reply Last reply Reply Quote 0
                    • KOMK
                      KOM
                      last edited by

                      I'm a little confused here.  Your port forward is to 192.168.1.104.  Your traces are all referring to the target 192.168.20.33.  None of the ports you are forwarding are being referenced at all.  ???

                      1 Reply Last reply Reply Quote 0
                      • C
                        celtica
                        last edited by

                        yes, I am not sure what is going on…the 192.168.20.33 is the address of my pfSense WAN port connected directly to the ISP modem.

                        another weird thing; i was checking on whatsmyip.org on open ports. i added another rule for VNC to see if i could access that way. On the port scanner everything shows as closed - which makes sense, there are no rules doing the forwarding. The ports that I have made rules for (MSRDP, VNC, SSH) all show as Timed Out instead of closed. Funny enough, and ports http, https & ftp all show as open.

                        1 Reply Last reply Reply Quote 0
                        • DerelictD
                          Derelict LAYER 8 Netgate
                          last edited by

                          If 192.168.20.33 is your pfSense WAN port then either your modem isn't in bridge mode or your ISP hands out RFC1918 addresses to their customers. In either case an inbound port forward will require:

                          Modem not in bridge mode: A port forward on the ISP modem/router

                          Modem is in bridge mode: A port forward by your ISP on some globally-routable IP address to your WAN address.

                          Chattanooga, Tennessee, USA
                          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                          Do Not Chat For Help! NO_WAN_EGRESS(TM)

                          1 Reply Last reply Reply Quote 0
                          • C
                            celtica
                            last edited by

                            Got it sorted out.

                            After working with my ISP, they explained that their equipment doesn't actually support bridged mode and they setup a DMZ sort ofand just call it bridged, and then they forward all traffic from public IP to private IP…when going through all of the settings, they realized they were forwarding the public IP traffic to the wrong private IP (the 192.168.20.33 IP) - they set it to the correct IP, and everything is working now.

                            Thanks so much for everyone's help!

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.