Route a wan ip to a lan ip



  • Hi, Im new in Pfsense, and I have a problem, My internet provider give me 3 IP publics assigned to a specific ips(17.2 17.3 17.4), I have tried to redirect one ip to the ip of the lan, but I have not succeeded, I leave a small diagram of the network so that it is better understood



  • https://doc.pfsense.org/index.php/How_can_I_forward_ports_with_pfSense

    https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

    https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting

    Since your WAN is in private IP space, make sure you uncheck the Block private networks on WAN (Interfaces - WAN) or it will reject your incoming traffic.



  • @KOM:

    https://doc.pfsense.org/index.php/How_can_I_forward_ports_with_pfSense

    https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

    https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting

    Since your WAN is in private IP space, make sure you uncheck the Block private networks on WAN (Interfaces - WAN) or it will reject your incoming traffic.

    thanks for u answer, I have no problems with the incoming traffic, actually my pfsense works correctly, What I need is redirect 192.168.17.2 to a pc in lan 192.168.7.10 For the ip public point to to that machine



  • I understand, too, that your "redirect" equals to portforwarding.

    Your WAN IP is another number compared to the 3 "Internet" IP's, Why is that ..17.7 ?

    Post a screenshot of Status/Interfaces, so we can verify our understanding of your situation.

    I have no problems with the incoming traffic, actually my pfsense works correctly

    You mean you can browse from ..7.10 in the Internet ?



  • @hda:

    I understand, too, that your "redirect" equals to portforwarding.

    Your WAN IP is another number compared to the 3 "Internet" IP's, Why is that ..17.7 ?

    Post a screenshot of Status/Interfaces, so we can verify our understanding of your situation.

    I have no problems with the incoming traffic, actually my pfsense works correctly

    You mean you can browse from ..7.10 in the Internet ?


    my subnet without the pfsense is 192.168.17.xx, and the ips (192.168.17.2-192.168.17.3-192.168.17.4) has a ip public each one, I cant change anything in this subnet, because only the provider can do that, then I need forwarding thats ips to some ips in the lan of pfsense



  • I have no problems with the incoming traffic

    I'm talking specifically about unsolicited incoming traffic, not return traffic from your outbound requests.  Unsolicited private IP traffic is blocked from WAN unless you uncheck that box I mentioned earlier.

    It should be no problem to create a port forward from your WAN to LAN.  Do you have a system on the 192.168.17 network to test your port forward with?



  • I think he is wanting a full DMZ host

    No firewall, NAT, DNS, etc. for one single host on his internal private network.

    Indeed firewall rules are what you want to achieve this

    https://doc.pfsense.org/index.php/Example_basic_configuration#DMZ_Configuration



  • @Cheetohz=topic=122016.msg674060#msg674060:

    I have no problems with the incoming traffic

    I think he is wanting a full DMZ host

    No firewall, NAT, DNS, etc. for one single host on his internal private network.

    Indeed firewall rules are what you want to achieve this

    https://doc.pfsense.org/index.php/Example_basic_configuration#DMZ_Configuration

    No I dont want DMZ

    @KOM:

    I have no problems with the incoming traffic

    I'm talking specifically about unsolicited incoming traffic, not return traffic from your outbound requests.  Unsolicited private IP traffic is blocked from WAN unless you uncheck that box I mentioned earlier.

    It should be no problem to create a port forward from your WAN to LAN.  Do you have a system on the 192.168.17 network to test your port forward with?

    a system? I dont understand you, you mean If I have router o something similar, for look the forward ports? No I dont manage anything of thar network, is the cause I want use PFsense



  • I was asking because you appear to have a double-NAT situation going on, and your problem may have more to do with your ISP not forwarding your traffic.  I wanted ot see if you could check your port forward from in front of your pfSense, not your ISP.



  • @KOM:

    I was asking because you appear to have a double-NAT situation going on, and your problem may have more to do with your ISP not forwarding your traffic.  I wanted ot see if you could check your port forward from in front of your pfSense, not your ISP.

    More easy, if you have my situation, how you forward that ip to a subnet pfsense ip, my ISP ois good, in this moment I have 2 machines directly to the isp with reserveds ip (17.2 and 17.4) and the 2 IP publics are correctly forward to thats machines, then I need forward 17.3 to a machine in pfsense lan



  • Well, like I said earlier it's easy to port forward in pfSense and it just works.  If you can't get it working, post screenshots of your NAT port forward rules and WAN firewall rules.



  • @KOM:

    Well, like I said earlier it's easy to port forward in pfSense and it just works.  If you can't get it working, post screenshots of your NAT port forward rules and WAN firewall rules.


    In firewall I dont have any configuration



  • OK I suspect the problem here is that you're trying to forward port 80 when you have pfSense WebGUI listening on that same port.  Are you running WebGUI in HTTP mode or HTTPS?  If I'm correct then there are two ways to fix this:

    • Use a Virtual IP with one of the IPs your ISP assigned you and then use that Virtual IP as the Destination Address in your firewall rule.

    • Change your WebGUI though the System options from port 80 to a different port, or switch to HTTPS mode.



  • @KOM:

    OK I suspect the problem here is that you're trying to forward port 80 when you have pfSense WebGUI listening on that same port.  Are you running WebGUI in HTTP mode or HTTPS?  If I'm correct then there are two ways to fix this:

    • Use a Virtual IP with one of the IPs your ISP assigned you and then use that Virtual IP as the Destination Address in your firewall rule.

    • Change your WebGUI though the System options from port 80 to a different port, or switch to HTTPS mode.

    This is my configuration



  • OK WebGUI is listening on port 80 so you can't forward that port directly from WAN.  You need to do one of my two suggestions.



  • I dit this, but doesnt works, I think I need do another thing, but Im not sure



  • How exactly are you doing your testing to see if it works or not?



  • @KOM:

    How exactly are you doing your testing to see if it works or not?

    in the pc (7.10) I have a web page in IIS, when I connect that machine directly in subnet of the ISP with ip (192.168.17.3) then I test from another network, I put the public ip in a browser, and it works, but when i return to pfsense lan, and change the ip (7.10) I do the same process but doenst work



  • Here are two screens that show a port forward defined and WAN rules to allow the traffic.  Note that the aliases such as WWW, cloud point to private IP addresses, not public.





  • Rebel Alliance Global Moderator

    "directly in subnet of the ISP with ip (192.168.17.3)"

    Dude can you do a simple sniff on your pfsense wan… Then go to canyouseeme.org and test to port 80... Do you see the traffic to 80??




  • @KOM:

    Here are two screens that show a port forward defined and WAN rules to allow the traffic.  Note that the aliases such as WWW, cloud point to private IP addresses, not public.

    WWW and cloud, are ip's in your Pfsense Lan ?

    @johnpoz:

    "directly in subnet of the ISP with ip (192.168.17.3)"

    Dude can you do a simple sniff on your pfsense wan… Then go to canyouseeme.org and test to port 80... Do you see the traffic to 80??

    this show me in that page, Error: I could not see your service on x.x.x.211 on port (80)
    Reason: Connection timed out

    But I discovered something, the public IP that shows me is correct, the one assigned to 192.168.17.3
    Modify message



  • WWW and cloud, are ip's in your Pfsense Lan ?

    It's a DMZ, but yes it's a LAN.


  • Rebel Alliance Global Moderator

    "this show me in that page, Error: I could not see your service on x.x.x.211 on port (80)"

    Ok did you sniff on your wan while you were doing this???  Did you see the packets get to your wan?? Like I showed you in my pic??  If yes, then you have something wrong in pfsense configuration, or something on client behind pfsense.

    I you did not see these packets then there is nothng you can do in pfsense to make it work.. Pfsense can only forward traffic that gets to it.. If it doesn't get there then pfsense can not forward it..

    Also since your behind a NAT and using a rfc1918 address, that your isp is forwarding this traffic to a rfc1918 address you have on your wan.  You have to make sure you uncheck the block rfc1918 network rule on your wan interface.. Or no no matter how many forwards you setup it will not work because that rule would block that traffic since its inbound to your wan via dest rfc1918 address.



  • I do a lot of configurations and doenst work, then after the lunch time, I test again and it works -.-,Does it take time to apply the settings? Now I do not know what the solution was



  • No idea what you have done but I am glad it's working for you now.



  • @KOM:

    No idea what you have done but I am glad it's working for you now.

    I find whats  was wrong, I explain you, in my IPS subnet I have 2 gateways (one with 100mbps, and the other 3mbps) only the gateway with 3mbps has the public ip, then I put that gateway in the WAN configuration, but this dont work, I had to put the gateway in the routing section as default, then, can you explain me, the difference between put the gateway in the Wan configuration and in the routing section?

    PD: thanks for all you help



  • in my IPS subnet I have 2 gateways

    This would have been good to know right from the start.

    can you explain me, the difference between put the gateway in the Wan configuration and in the routing section?

    We don't know what you have done, but each WAN needs a default gateway.  You either pick one of the two, or create a gateway group with the two and weight them accordingly.

    https://doc.pfsense.org/index.php/Multi-WAN



  • @KOM:

    in my IPS subnet I have 2 gateways

    This would have been good to know right from the start.

    can you explain me, the difference between put the gateway in the Wan configuration and in the routing section?

    We don't know what you have done, but each WAN needs a default gateway.  You either pick one of the two, or create a gateway group with the two and weight them accordingly.

    https://doc.pfsense.org/index.php/Multi-WAN

    Well thanks for your help, now this post can be closed


Locked