New unit setup not allowing ports to be opened
-
hi all
this is my second attempt at getting pfsense going after consumer routers keep giving up
but no matter what i try, i cant get it to open up any ports on my firewalli have Wan 10.20.20.3/24 GW 10.20.20.1 and Wan2 10.10.1.27/16 GW 10.10.1.1 in failover
and 1 Lan port 192.168.0.0/16 GW 192.168.1.1i am setting the rules from the nat tab on WAN and allowing rules to be created by adding associeted filter rule
1, i have gateways set up for both wans and i have set them both as static ipv4, behind other routers where this pfsense is set to be inside DMZ
2, i am not forwarding any ports on wangroup or wan2
3, i have no rules set up for wangroup or wan2
3, Disable reply-to is UNTICKED
4, i have tried multiple different ways to add the rules and for example they are set to ANY address as that is the last thing that i tried
5, i have more to open but these are the beginningEDIT… WAN1 Was behind a virginmedia superhub set to Modem only but this was then only set to DHCP, i read that the wan interface needs to have a gateway selected which was not possible due to dhcp isp
so for this reason i have set it back up as a Router, placed pfsense in DMZ and forwaded ALL ports to the pfsense IPThe only ports that are open are 21, 8443, 8080
Gateways
Name Interface Gateway Monitor IP Description Actions
WAN2GW WAN2 10.10.1.1 10.10.1.1 Wan 2Gateway
WANGW (default) WAN 10.20.20.1 10.20.20.1 Wan 1GatewayGroup Name Gateways Priority Description Actions
gwgroup WAN2GW Tier 2
WANGW Tier 1Interface Groups
Name Members Description Actions
wangroup WAN, WAN2 wan groupNAT
Interface Protocol Source Address Source Ports Dest. Address Dest. Ports NAT IP NAT Ports Description Actions
WAN UDP * * * 4500 (IPsec NAT-T) 192.168.1.17 4500 (IPsec NAT-T) xbox one 4500
WAN UDP * * * 3544 (Teredo) 192.168.1.17 3544 (Teredo) xbox one 3544
WAN UDP * * * 500 (ISAKMP) 192.168.1.17 500 (ISAKMP) xbox one 500
WAN TCP * * * 80 (HTTP) 192.168.1.17 80 (HTTP) xbox one 80
WAN TCP/UDP * * * 53 (DNS) 192.168.1.17 53 (DNS) xbox one 53
WAN TCP/UDP * * * 3074 192.168.1.17 3074 xbox one 3074
WAN UDP * * * 88 192.168.1.17 88 xbox one 88
WAN TCP * * WAN address 21 (FTP) 192.168.1.6 21 (FTP) attic ftp
WAN TCP/UDP * * WAN address 8443 192.168.1.6 8443 unifi 8443
WAN TCP/UDP * * WAN address 8080 192.168.1.6 8080 unifi 8080RULES
Rules (Drag to Change Order)
States Protocol Source Port Destination Port Gateway Queue Schedule Description Actions
0/1023 KiB- RFC 1918 networks * * * * * Block private networks
0/31 KiB - Reserved
Not assigned by IANA * * * * * Block bogon networks
0/686 KiB
IPv4 TCP/UDP * * 192.168.1.6 8080 * none NAT unifi 8080
0/181 KiB
IPv4 TCP/UDP * * 192.168.1.6 8443 * none NAT unifi 8443
0/1 KiB
IPv4 TCP * * 192.168.1.6 21 (FTP) * none NAT attic ftp
0/28 B
IPv4 UDP * * 192.168.1.17 88 * none NAT xbox one 88
0/0 B
IPv4 TCP/UDP * * 192.168.1.17 3074 * none NAT xbox one 3074
0/88 B
IPv4 TCP/UDP * * 192.168.1.17 53 (DNS) * none NAT xbox one 53
0/88 B
IPv4 TCP * * 192.168.1.17 80 (HTTP) * none NAT xbox one 80
0/220 B
IPv4 UDP * * 192.168.1.17 500 (ISAKMP) * none NAT xbox one 500
0/0 B
IPv4 UDP * * 192.168.1.17 3544 (Teredo) * none NAT xbox one 3544
0/28 B
IPv4 UDP * * 192.168.1.17 4500 (IPsec NAT-T) * none NAT xbox one 4500
my failover works fine
Any help with this would be great !!
thanks in advance
- RFC 1918 networks * * * * * Block private networks
-
Dude.
- WTH you have /16 on both your WANs? So that it'd overlap and cease working?
- What's exactly "behind other routers where this pfsense is set to be inside DMZ"? Trying to port forward something on an RFC1918 WAN behind other routers and firewalls won't be exactly productive experience, since that's not where you need to port-forward in the first place.
-
wan1 there is notning behind it other than this pfsense box
wan2 is a connection used for wifi access to customers in a busy shop - this is why it is set to /16 because /24 wasnt giving enough leases and i just set it to this for ease
this is just the backup so im not really bothered about the ports being forwarded on this connection -
wan2 is a connection used for wifi access to customers in a busy shop - this is why it is set to /16 because /24 wasnt giving enough leases and i just set it to this for ease
?!?! That'd be a (W)LAN, not WAN. ?!?!
??? ??? ???
-
"wan2 is a connection used for wifi access to customers in a busy shop"
How is that a WAN?? So your leveraging some wifi network as pfsense backup wan connection? Confused.. Why does a /16 on that interface have you putting a /16 on your other?
So did you go through the port forwarding troubleshooting?
https://doc.pfsense.org/index.php/Port_Forward_TroubleshootingStep 1 to be honest, is the traffic your wanting to forward even getting to pfsense? You have rfc1918 on your wans - so did you uncheck block rfc1918?? Because that is on out of the box.. So if some nat router in front forwards to pfsense rfc1918 address. Won't get past that rule..
Even with you ascii art vs just posting an easy to read screenshot, can see that you still have that rule enabled
States Protocol Source Port Destination Port Gateway Queue Schedule Description Actions
0/1023 KiB * RFC 1918 networks * * * * * Block private networksAnd looks like lots of hits to it even with the 1023 Number..
-
wan2 is a connection used for wifi access to customers in a busy shop - this is why it is set to /16 because /24 wasnt giving enough leases and i just set it to this for ease
?!?! That'd be a (W)LAN, not WAN. ?!?!
??? ??? ???
this is my fault for not explaining correctly
it is a wan connection, not wlanupstream of pfsense (in a different building) there is another router that manages dhcp for wifi access
-
"wan2 is a connection used for wifi access to customers in a busy shop"
How is that a WAN?? So your leveraging some wifi network as pfsense backup wan connection? Confused.. Why does a /16 on that interface have you putting a /16 on your other?
So did you go through the port forwarding troubleshooting?
https://doc.pfsense.org/index.php/Port_Forward_TroubleshootingStep 1 to be honest, is the traffic your wanting to forward even getting to pfsense? You have rfc1918 on your wans - so did you uncheck block rfc1918?? Because that is on out of the box.. So if some nat router in front forwards to pfsense rfc1918 address. Won't get past that rule..
Even with you ascii art vs just posting an easy to read screenshot, can see that you still have that rule enabled
States Protocol Source Port Destination Port Gateway Queue Schedule Description Actions
0/1023 KiB * RFC 1918 networks * * * * * Block private networksAnd looks like lots of hits to it even with the 1023 Number..
Apologies for not explaining myself correctly, the wifi access is upstream, controlled by another router
also i have checked, the WAN1 is a /24 subnet (i got the figure wrong when typing in)
good spot on the private network block. i have now disabled these rules
i will post screenshots later today as am using teamviewer for access as i am out at work
I have read some of the troubleshooting and will go through it in more detail laterso i need to set any rules to allow wangroup to communicate with wan and wan2?
-
"so i need to set any rules to allow wangroup to communicate with wan and wan2?"
Yeah you could allow traffic from 1 wan to talk to another wan through pfsense.. Your going to run into asymmetrical routing, unless you also nat traffic into wan1, from wan2 as your wan1 address, etc. Why would devices on wan 2 want to talk to devices on wan1? And why would they be using pfsense wan2 address as their gateway?
These are not really wans, they are just upstream networks from your downstream pfsense. You would normally route traffic between these upstream networks at the upstream router(s) Not on some downstream router that is not their gateways, etc.
Why don't you draw up your network and what exactly it is your wanting to do/accomplish.. So far sounds like your going about it all wrong.. While pfsense for sure can be a downstream router/firewall in a larger network. Why are you natting on it if your already on a larger rfc1918 network?
And if your on a larger rfc1918 network, why would you want/need to setup multiple gateways into what amounts to the same larger network? A drawing would be of great help in understanding what your trying to do…
-
as i menaioned above
EDIT… WAN1 Was behind a virginmedia superhub set to Modem only but this was then only set to DHCP, i read that the wan interface needs to have a gateway selected which was not possible due to dhcp isp
the only reason that the main connection is behind another "Router" is because i read that port forwarding may not work on a failover connection unless BOTH wan connections have a gateway set and this does not get set with a dhcp connection (or at least i couldnt find a way to do this)
if this is not the case, i can turn the "Router" back into modem only mode and have Wan1 set to DHCP
here is my basic network map
the only thing upstream of WAN1 is the router 10.20.20.1
the only client to this network is pfsense![network drawing2.jpg](/public/imported_attachments/1/network drawing2.jpg)
![network drawing2.jpg_thumb](/public/imported_attachments/1/network drawing2.jpg_thumb) -
Ok I would not connect it like that. Why would your AP's not be behind pfsense?
So you end up with this.
You can use public on pfsense wan connections, or if need be they could be some rfc1918 transit network that does not conflict with any of your other networks.. They sure don't need to be /16's they could be normal transit network of /30 if you can not put your isp devices in bridge mode so that pfsense actually gets a public IP. Public on wan of pfsense would be the preferred setup so your not having to double nat or port forward in multiple places, etc.
Now traffic between your local networks does not have to nat. You can just create easy firewall rules between your local networks, no port forwarding between them. You can policy route any of your local networks out either of your wan connections. Or can setup load balancing or failover, etc etc..
You can use what ever sized network you need for your AP and wireless clients.. /16 seems really LARGE ;) how many wifi clients do you normally have? If your AP supports vlans and the switch they are connected to does as well. Then you could run multiple different wifi networks with different rules to allow/block/etc for say guests or your devices, etc..
-
thanks for the quick reply
Ok I would not connect it like that. Why would your AP's not be behind pfsense?
these are the aps only for the isp2 and customer wifi in the shopi have 5 others on my actual home network (they were not included in the drawing as they are not an issue)
wireless clients.. /16 seems really LARGE ;) how many wifi clients do you normally have?
i did have /24 to start but changed to /16 after 3 hour dhcp period was getting filled.. on a busy day it has gone upto 300-350
but usually its around 200-250You can use public on pfsense wan connections, or if need be they could be some rfc1918 transit network that does not conflict with any of your other networks.. They sure don't need to be /16's they could be normal transit network of /30 if you can not put your isp devices in bridge mode so that pfsense actually gets a public IP. Public on wan of pfsense would be the preferred setup so your not having to double nat or port forward in multiple places, etc.
yes the main isp WAN1 can be placed in bridge mode. it was in this mode. when my port forwarding did not work i read that all wans needed a gateway defined to port forward correctly and changed it
If your AP supports vlans and the switch they are connected to does as well.
The ap's do but my switching no. i am using unmanaged 24 & 8 port switchesunfortunately, designing the network the way you say is not doable. there is only 1 cable running between the two buildings
I have thought about this for a while, but until i move house this wont be redesignedthis setup i have here has worked fine as it is with port forwarding and everything i need it to with consumer grade routers, i have not had any trouble port forwarding until it comes to pfsense
-
"these are the aps only for the isp2 and customer wifi in the shop "
What does that have to do with anything? Let me think about - oh yeah nothing ;) Put them behind pfsense. Route them out ispX.. Allow if needed access into your network, etc.. That point is non sequitur for putting the connection behind pfsense.
"there is only 1 cable running between the two buildings "
Again confused as to what that has to do with anything.. So isp1 is in building 1 and isp is in building 2? Or both are in a building and you need both access in another building? Either way you can still connect these networks to pfsense no matter what building pfsense is in, and could use 1 wire if need be. That is the whole beauty of vlans..
"this setup i have here has worked fine as it is with port forwarding and everything i need it to with consumer grade routers"
How so - you seem to be here on pfsense asking questions.. So not sure I would agree that all is fine ;)
Ok busy day 350.. So use a /23 ;) Now you have 500 IPs to work with.. As to your isp devices if only 1 can be in bridge mode, ok use that in bridge mode - if your other can not then you use a rfc1918 transit on that connection..
As to a wan needing a gateway.. Yeah they do.. How else would it be a wan if it had no gateway to get anywhere but the network it was connected to? If your isp device is in bridge mode then your pfsense would get a public IP, with a gateway address to your isp..
Smart switches that do vlans can be had for very small budgets.. You could get a 8 gig smart switch that does vlans for like $40.. Larger port density smart/managed switches to get a bit more in $.. But still very reasonable home budget doable.. Here is a managed 24 port gig switch for $215.. Very home budget friendly
https://store.ubnt.com/unifi/unifi-switch-24.htmlDo what you want, just suggesting that if you have migrated to pfsense from soho routers.. Why not design/setup your network so that you can leverage the features that pfsense brings to the table, etc. Once you want to start segmenting your networks, its time to migrate to atleast entry level smart switches that can handle segmentation via vlans.
-
I aprechiate the help with trying to redesign my network, but for now it is ok, i dont want to or plan to redesign anything any time soon
yes, i know that this setup is not ideal in any world but it has evloved and been added to over a few yearsI have wanted to use pfsense for a while because of just doing it.
**"this setup i have here has worked fine as it is with port forwarding and everything i need it to with consumer grade routers"
How so - you seem to be here on pfsense asking questions.. So not sure I would agree that all is fine ;)**
when your router physically fails 1 week before christmas there arent many options. so i thought that i would give pfsense a go…
it was either that or order another one of the same or even a ubiquiti ER Lite (all of my aps are ubiquiti)with my previous router Asus rt-ac87u my network setup was the same as this. port forwarding working fine, vpn server, dual wan failover, dynamic dns
but as anything, budget is always a problem, especially this close to christmas. i did not have another £180 to spend on the router. i already had a pc and dual nic available
so please, i am just asking for help with forwarding the ports through WAN1 correctly
later on today i will amend wan1 upstream router back to bridge and change wan1 mode to dhcp
-
update, i have now changed things
upstream-
WAN1. isp is now in bridge mode, directly connected to pfsense. and pfsense is set to dhcp on wan1
WAN2 changed the upstream router. now set to 10.10.1.1/24Pfsense now set to 192.168.1.1/24