Forward IP from WAN to internal LAN



  • By the wording to follow you'll probably guess that I'm a noob here.
    I have a bit of a weird setup and need some advice how to get the firewall setup.
    We use a community network which is on 192.168.x.x, I have been given an external IP 194.91.x.x which is mapped to an address in the 192.168.x.x network. I am trying to setup an internal network in the house using 10.1.x.x
    So i have the WAN setup using the 192.168.x.x addresses and the LAN using the 10.1.x.x addresses.
    When I setup my machine using the 192.168.x.x static address that is getting the 194.91.x.x address everything works fine as I am connecting it directly using the network card of the WAN.
    However when I change that over to the LAN address 10.1.x.x then the traffic does not reach the machine. I have setup a virtual IP using the 192.168.x.x address that I setup a NAT to do the port forwarding using an associate rule or pass, neither seem to be working. I seem to be missing something when setting up the forwarding.
    Anyone with idea's what I should be checking or reading up on would be greatly appreciated.


  • LAYER 8 Global Moderator

    Why are you hiding your 192.168 address?

    So let me get this right.  Your pfsense wan is 192.168.1.100 lets call it, and this network your on has a 1:1 nat pointing 194.91.x.x to this IP.. So from the public internet I hit http://194.91.x.x your 192.168.1.100 sees it.  Is that correct?

    And now behind pfsense you want to use a 10.1.0/24 network with a host being say 10.1.0.42..

    So forward port 80 on pfsense wan to 10.1.0.42

    https://doc.pfsense.org/index.php/How_can_I_forward_ports_with_pfSense

    This is no different than being behind a double nat of your own making.



  • Exactly the setup. The public IP forward to 192.168.1.100. This is my static IP I have setup as a virtual IP as my IP on the LAN is 10.1.0.42
    I have tried the port forwarding and I'm not even seeing the traffic come in when I look at the Firewall logs
    So i may be missing something else I still have not read up about.


  • LAYER 8 Global Moderator

    So if your not seeing the traffic on pfsense wan, it is impossible for it to forward now isn't it ;)

    https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

    Port forwarding is really clickity clickity done.  Troubleshooting what you missed or what you did wrong should take you all of 30 seconds.  If the packets are not hitting pfsense wan, then look up stream.  If they are on your wan, validate your forward is correct.  If your forward is correct validate that your target machine is not blocking, etc.

    "This is my static IP I have setup as a virtual IP as my IP on the LAN is 10.1.0.42"

    Sorry but this sounds like your doing something wrong…  It would go like this - not sure what you mean by VIP??

    internet --- isp --- 192.168.1/24 --- 192.168.1.100 <wan>pfsense <lan>10.1.0.1 ---- 10.1.0.42 PC

    What do you mean you setup a VIP??</lan></wan>



  • Virtual IPs are only needed if you have more than one public address (although you can create VIPs for LAN addresses, this is unusual) and you want pfSense to control them all.  If you just have the one WAN IP address then you don't need a VIP.



  • I will have to try later again.
    I do see some traffic hitting the firewall the problem is that everything is being blocked.
    What I do see is that the ports being used in the request are not :80 but some random number


  • LAYER 8 Global Moderator

    If your seeing traffic to your wan with a dest of some random number, its prob just noise.

    I would suggest you use something like canyouseeme .org and test say port 80.. You should then see this traffic on your wan.  diag packet capture will validate that.

    As KOM points out use of VIP would be say if your ISP gave you multiple IPs to use.  On the LAN there really would never be a reason to setup a VIP, especially in a different network this would amount to trying to run multiple layer 3 on the same layer 2 which is a Borked config.

    If what your saying is that your isp gave you a rfc1918 address of say 192.168.1.100 and they forward all traffic to that public address to this IP.  You just need to setup pfsense wan IP with that IP, and point to the gateway they gave you.  Then forward whatever ports you want to the network your using behind pfsense on its lan, it could be a 10 network or a 172.16-31 network or even a different 192.168 network.

    This really should work out of the box with very min config.  Set your wan IP, set your lan IP and big bang zoom bobs your uncle.


Log in to reply