New unit setup not allowing ports to be opened

johnpoz

"wan2 is a connection used for wifi access to customers in a busy shop"

How is that a WAN??  So your leveraging some wifi network as pfsense backup wan connection?  Confused..  Why does a /16 on that interface have you putting a /16 on your other?

So did you go through the port forwarding troubleshooting?
https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

Step 1 to be honest, is the traffic your wanting to forward even getting to pfsense?  You have rfc1918 on your wans - so did you uncheck block rfc1918??  Because that is on out of the box.. So if some nat router in front forwards to pfsense rfc1918 address.  Won't get past that rule..

Even with you ascii art vs just posting an easy to read screenshot, can see that you still have that rule enabled
States  Protocol  Source  Port  Destination  Port  Gateway  Queue  Schedule  Description  Actions
0/1023 KiB *  RFC 1918 networks  *  *  *  *  *      Block private networks

And looks like lots of hits to it even with the 1023 Number..

amt1989

@doktornotor:

@amt1989:

wan2 is a connection used for wifi access to customers in a busy shop - this is why it is set to /16 because /24 wasnt giving enough leases and i just set it to this for ease

?!?! That'd be a (W)LAN, not WAN. ?!?!

??? ??? ???

this is my fault for not explaining correctly
it is a wan connection, not wlan

upstream of pfsense (in a different building) there is another router that manages dhcp for wifi access

amt1989

@johnpoz:

"wan2 is a connection used for wifi access to customers in a busy shop"

How is that a WAN??  So your leveraging some wifi network as pfsense backup wan connection?  Confused..  Why does a /16 on that interface have you putting a /16 on your other?

So did you go through the port forwarding troubleshooting?
https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

Step 1 to be honest, is the traffic your wanting to forward even getting to pfsense?  You have rfc1918 on your wans - so did you uncheck block rfc1918??  Because that is on out of the box.. So if some nat router in front forwards to pfsense rfc1918 address.  Won't get past that rule..

Even with you ascii art vs just posting an easy to read screenshot, can see that you still have that rule enabled
States  Protocol  Source  Port  Destination  Port  Gateway  Queue  Schedule  Description  Actions
0/1023 KiB *  RFC 1918 networks  *  *  *  *  *      Block private networks

And looks like lots of hits to it even with the 1023 Number..

Apologies for not explaining myself correctly, the wifi access is upstream, controlled by another router

also i have checked, the WAN1 is a /24 subnet (i got the figure wrong when typing in)

good spot on the private network block. i have now disabled these rules

i will post screenshots later today as  am using teamviewer for access as i am out at work
I have read some of the troubleshooting and will go through it in more detail later

so i need to set any rules to allow wangroup to communicate with wan and wan2?

johnpoz

"so i need to set any rules to allow wangroup to communicate with wan and wan2?"

Yeah you could allow traffic from 1 wan to talk to another wan through pfsense.. Your going to run into asymmetrical routing, unless you also nat traffic into wan1, from wan2 as your wan1 address, etc. Why would devices on wan 2 want to talk to devices on wan1?  And why would they be using pfsense wan2 address as their gateway?

These are not really wans, they are just upstream networks from your downstream pfsense.  You would normally route traffic between these upstream networks at the upstream router(s)  Not on some downstream router that is not their gateways, etc.

Why don't you draw up your network and what exactly it is your wanting to do/accomplish.. So far sounds like your going about it all wrong..  While pfsense for sure can be a downstream router/firewall in a larger network.  Why are you natting on it if your already on a larger rfc1918 network?

And if your on a larger rfc1918 network, why would you want/need to setup multiple gateways into what amounts to the same larger network?  A drawing would be of great help in understanding what your trying to do…

amt1989

as i menaioned above

EDIT… WAN1 Was behind a virginmedia superhub set to Modem only but this was then only set to DHCP, i read that the wan interface needs to have a gateway selected which was not possible due to dhcp isp

the only reason that the main connection is behind another "Router" is because i read that port forwarding may not work on a failover connection unless BOTH wan connections have a gateway set and this does not get set with a dhcp connection (or at least i couldnt find a way to do this)

if this is not the case, i can turn the "Router" back into modem only mode and have Wan1 set to DHCP

here is my basic network map

the only thing upstream of WAN1 is the router 10.20.20.1
the only client to this network is pfsense


johnpoz

Ok I would not connect it like that.  Why would your AP's not be behind pfsense?

So you end up with this.

You can use public on pfsense wan connections, or if need be they could be some rfc1918 transit network that does not conflict with any of your other networks..  They sure don't need to be /16's they could be normal transit network of /30 if you can not put your isp devices in bridge mode so that pfsense actually gets a public IP.  Public on wan of pfsense would be the preferred setup so your not having to double nat or port forward in multiple places, etc.

Now traffic between your local networks does not have to nat.  You can just create easy firewall rules between your local networks, no port forwarding between them.  You can policy route any of your local networks out either of your wan connections.  Or can setup load balancing or failover, etc etc..

You can use what ever sized network you need for your AP and wireless clients..  /16 seems really LARGE ;)  how many wifi clients do you normally have?  If your AP supports vlans and the switch they are connected to does as well.  Then you could run multiple different wifi networks with different rules to allow/block/etc for say guests or your devices, etc..

amt1989

thanks for the quick reply

Ok I would not connect it like that.  Why would your AP's not be behind pfsense?
these are the aps only for the isp2 and customer wifi in the shop

i have 5 others on my actual home network (they were not included in the drawing as they are not an issue)

wireless clients..  /16 seems really LARGE ;)  how many wifi clients do you normally have?

i did have /24 to start but changed to /16 after 3 hour dhcp period was getting filled.. on a busy day it has gone upto 300-350
but usually its around 200-250

You can use public on pfsense wan connections, or if need be they could be some rfc1918 transit network that does not conflict with any of your other networks..  They sure don't need to be /16's they could be normal transit network of /30 if you can not put your isp devices in bridge mode so that pfsense actually gets a public IP.  Public on wan of pfsense would be the preferred setup so your not having to double nat or port forward in multiple places, etc.

yes the main isp WAN1 can be placed in bridge mode. it was in this mode. when my port forwarding did not work i read that all wans needed a gateway defined to port forward correctly and changed it

If your AP supports vlans and the switch they are connected to does as well.
The ap's do but my switching no. i am using unmanaged 24 & 8 port switches

unfortunately, designing the network the way you say is not doable.  there is only 1 cable running between the two buildings
I have thought about this for a while, but until i move house this wont be redesigned

this setup i have here has worked fine as it is with port forwarding and everything i need it to with consumer grade routers, i have not had any trouble port forwarding until it comes to pfsense

johnpoz

"these are the aps only for the isp2 and customer wifi in the shop "

What does that have to do with anything?  Let me think about - oh yeah nothing ;)  Put them behind pfsense.  Route them out ispX.. Allow if needed access into your network, etc.. That point is non sequitur for putting the connection behind pfsense.

"there is only 1 cable running between the two buildings "

Again confused as to what that has to do with anything.. So isp1 is in building 1 and isp is in building 2?  Or both are in a building and you need both access in another building?  Either way you can still connect these networks to pfsense no matter what building pfsense is in, and could use 1 wire if need be.  That is the whole beauty of vlans..

"this setup i have here has worked fine as it is with port forwarding and everything i need it to with consumer grade routers"

How so - you seem to be here on pfsense asking questions.. So not sure I would agree that all is fine ;)

Ok busy day 350.. So use a /23 ;)  Now you have 500 IPs to work with..  As to your isp devices if only 1 can be in bridge mode, ok use that in bridge mode - if your other can not then you use a rfc1918 transit on that connection..

As to a wan needing a gateway.. Yeah they do.. How else would it be a wan if it had no gateway to get anywhere but the network it was connected to?  If your isp device is in bridge mode then your pfsense would get a public IP, with a gateway address to your isp..

Smart switches that do vlans can be had for very small budgets.. You could get a 8 gig smart switch that does vlans for like $40.. Larger port density smart/managed switches to get a bit more in $..  But still very reasonable home budget doable..  Here is a managed 24 port gig switch for $215.. Very home budget friendly
https://store.ubnt.com/unifi/unifi-switch-24.html

Do what you want, just suggesting that if you have migrated to pfsense from soho routers..  Why not design/setup your network so that you can leverage the features that pfsense brings to the table, etc.  Once you want to start segmenting your networks, its time to migrate to atleast entry level smart switches that can handle segmentation via vlans.

amt1989

I aprechiate the help with trying to redesign my network, but for now it is ok, i dont want to or plan to redesign anything any time soon
yes, i know that this setup is not ideal in any world but it has evloved and been added to over a few years

I have wanted to use pfsense for a while because of just doing it.

**"this setup i have here has worked fine as it is with port forwarding and everything i need it to with consumer grade routers"

How so - you seem to be here on pfsense asking questions.. So not sure I would agree that all is fine ;)**

when your router physically fails 1 week before christmas there arent many options. so i thought that i would give pfsense a go…
it was either that or order another one of the same or even a ubiquiti ER Lite (all of my aps are ubiquiti)

with my previous router Asus rt-ac87u my network setup was the same as this. port forwarding working fine, vpn server, dual wan failover, dynamic dns

but as anything, budget is always a problem, especially this close to christmas. i did not have another £180 to spend on the router. i already had a pc and dual nic available

so please, i am just asking for help with forwarding the ports through WAN1 correctly

later on today i will amend wan1 upstream router back to bridge and change wan1 mode to dhcp

amt1989

update, i have now changed things

upstream-
WAN1. isp is now in bridge mode, directly connected to pfsense. and pfsense is set to dhcp on wan1
WAN2 changed the upstream router. now set to 10.10.1.1/24

Pfsense now set to 192.168.1.1/24