Can't do a basic port forward
-
When I go to https://canyouseeme.org/ it has my IP address as 121.x.x.x instead of what it actually it 100.x.x.x
I tried checking port 3389 there which didn't work. I can't change the IP to my correct IP.Does the fact that it's populating 121.x.x.x mean something else is wrong?
My ISP insists you simply connect any router with DHCP and it'll auto configure, I don't have do do any custom configuration or anything. I don't have a modem or anything like that, it's ethernet into a NTU, which goes into fiber.
-
That website canyouseeme.org gets your source IP automatically, I guess that is the problem and the reason you don't see any hits in the firewall rule or the packet capture.
You can check that through other sites, just type in google, what is my ip address and you will be able to confirm that.
That is kind of strange because you should be seeing your pfsense WAN IP address there..
-
I've gone to: https://www.yougetsignal.com
It too has the 'other' IP address, but I changed it to my WAN IP and tried again on 3389, it says it's closed :/ -
I'm just reading my ISP uses CGNAT by default, I'm still reading, but I wonder if that could be the issue.
-
It's because somehow you have another router there, with that 121.x.x.x, in which you should configure that port forward as well.
Could that be the ISP modem? If that is the case, have you tried to configure it in bridge mode?
In case you can't, try to access it and setup the port forward there as well -
@Glaz0n4 Yes, that is the problem, CGNAT sucks
-
Ah sweet, thanks :)
Apparently you can get them to disable it.
I wonder if it's cost cutting or something, they are actually a really good ISP.
My 'regular' wifi/router device worked fine.
Thanks for your help again, really appreciate the fast response.
-
@Glaz0n4 You are welcome :)
-
If your ISP get you a good IPv6, you can try to build a VPN Tunnel, and then you can route your private IPv4 through it.
-
@Glaz0n4
you mention this in your description
"I know using a VPN is a better way to do this, however I just want to get this working first."The RDP is no longer explicitly recommended, just an example:
https://www.welivesecurity.com/2019/12/17/bluekeep-time-disconnect-rdp-internet/
-
Thanks for the heads up.
I got this working earlier today and could connect over 3389 directly. I then deleted the rule. I plan on doing this via a VPN and will set that up when I have some time. Open VPN seems a good way to do this. I'm about to start a job in security, so bought this device to learn more about networking and security. So it'll be a fun learning experiment!
-
OpenVPN is a completely good choice.
https://docs.netgate.com/pfsense/en/latest/vpn/openvpn/openvpn-remote-access-server.html
https://docs.netgate.com/pfsense/en/latest/vpn/openvpn/using-the-openvpn-client-export-package.htmlin the meantime, these can also be good temporarily:
https://www.teamviewer.com/ -free version
https://anydesk.com/en -free version@Glaz0n4
So it'll be a fun learning experiment! -
Hello!
I have similar problems with CGNAT at a couple of sites, but am able to get by with them running the client side of a site to site openvpn connection. This might not always be possible, so I was looking for other solutions.
I noticed that pfsense has a tinc package. It might be worthwhile looking into that and a MITM VPS as a way to address the CGNAT and secure remote admin issues.
Something like this :
https://ideaman924.com/2020/02/10/using-tinc-to-get-around-double-nat/
John
-
I was able to be removed from cgnat at no cost, so went that way :)