Forwarding ports from WAN interface to LAN interface
Hey Everyone! I'm new to pfsense, but the need to migrate arose after my older DDWRT router @ 480mhz couldn't effectively route more than 115mbps. Pfsense was able to solve my routing problems and I'm getting a solid 345mbps with no issues. Loving pfsense so far!
Working towards completing the migration, my next step is to set up appropriate port forwards within pfsense, but I ran into issues with the NAT and firewall rules.
Here's how my network is set up:
- CABLE MODEM
- PFSENSE (WAN Interface IP: 192.168.0.2)
I'm having a bear of a time getting any NAT/firewall rules to work, so I'm simplifying my effort to just RDP to see if I can make that work.
**GOAL: I have a system (192.168.0.10) that needs to pass through the PFSENSE firewall and access 192.168.1.8 on my internal network. **
First, I make sure RDP is listening on the target machine and did a remote test from another system on the local lan. Works fine.
Second I go into pfsense, I set up the NAT:
Which automatically creates the following firewall rule.
I apply the changes and try telnet on port 3389 from my source to the WAN IP of pfsense.
It fails so I check the logs… it looks like the firewall is blocking it even though it created the associated rule with the NAT.
I then try to set up an easy rule to pass the traffic by clicking the plus sign on the logs page. I understand this only sets up a rule for 192.168.0.10, but I'm desperate!
I apply the rules and the firewall rules for the WAN now look like this.
I tried the telnet again on port 3389 and still not passing as it is still getting rejected by the firewall.
I'm officially out of ideas troublshooting this after spending hours reading and watching pfsense howto videos.
Thanks for taking the time to read through this, and I appreciate any help that you may be able to provide. I'm sure it's something simple I'm overlooking.. I'm just not familiar enough to see it!
Do you have unchecked "block private networks" in the WAN interface setting?
For troubleshooting it's better to display the respective firewall rule in the logs. Status > Logs > Settings > "Where to show rule descriptions" > "Display as column".
Your source is clearly rfc1918 so yeah its going to be blocked because you have blocked private which is first rule in your list..
192.168.0.10 is a private address.. Disable the default rfc1918 rule and then your port forward will work.
You were both right on the money and after disabling the default rfc1918 rule I'm up and running. Thanks!