WAN stop accepting traffic when LAN port disconnected

serbus

Hello!

I am new to pfsense. After evaluating the firewall on an old PC, I decided to move forward with a more router friendly form factor. I purchased a protectli FW4B and installed the latest pfsense [2.4.4-RELEASE-p3 (amd64) ] without issues.
I am testing the build on my internal private network.
The pfsense WAN IP is 10.12.12.213 and LAN is the default (192.168.1.1/24)
I connected a laptop to the LAN port on the FW4B and performed the initial config in the WebConfigurator.
I disabled the "Block private networks and loopback addresses" on the Interfaces -> WAN page so I could access the unit "externally".
I created a NAT/rule to forward/permit HTTPS on the WAN IP to the LAN IP (192.168.1.1).
I can access the admin interface from the WAN with no issues. All is well.
The problem...
When I disconnect the network cable to my laptop, which is connected to the LAN port, I can no longer access the FW4B from the WAN port. All access to the device on the WAN port stops.
When I plug the laptop cable back into the LAN port, the WAN access starts working again.
I tried assigning the LAN port to igb2 or igb3 but it did not change the behaviour.
The logs in var/log do not show any obvious reasons why the traffic to the WAN would stop whe nthe LAN is unplugged.
Ideas?

Thanks!

John

viragomann

When you pull the plug the interface goes down. So the Interface IP is not available anymore.

If you want to access the web configurator from the internet set up a VPN server on pfSense. So you‘d be able to access the GUI by the virtual VPN servers IP.

johnpoz

@serbus said in WAN stop accepting traffic when LAN port disconnected:

so I could access the unit "externally".

You mean from your own network? This 10.12.12 network.. If so just allow webgui port to your wan address and access it via that.. There is little reason to port forward it to your lan IP.

serbus

Hello!

I removed the NAT and just setup a rule as you suggested, and it worked even when I pulled the LAN connection. It didnt occur to me that NAT/routing would stop working when the LAN interface went down. Doh!
I was trying to use NAT to obscure the admin port on the WAN, but you are correct that the proper way to admin remotely is via a VPN. I will tackle that next.

Thanks for your help!

John

johnpoz

@serbus said in WAN stop accepting traffic when LAN port disconnected:

obscure

That is pointless. It does nothing other than make your setup more complex and more likely to make mistakes and be less secure.