Firewalling with 2 LAN IF
-
Hint: what subnet do you have on the OPT1-interface? (it's NOT the lan-subnet) ;)
Could you show a screenshot of your NAT-rule and the corresponding firewall rule?
-
Hint: what subnet do you have on the OPT1-interface? (it's NOT the lan-subnet) ;)
OMG….... i thought with lan subnet is meant lan subnet of the interfaces ip address.. so you see thinking too much sometimes is a bad idea... (but only sometimes)
Could you show a screenshot of your NAT-rule and the corresponding firewall rule?
for 8080 to 80 port "issue" ? for rea screenshot you have to wait until tomorrow evening… (i'm not in the mood to startup vista right now and i'm still a "beginning beginner" with GIMP)
BTW: I have only one portforward rule... maybe bec. i use "Automatic outbound NAT rule generation (IPsec passthrough)" (checkbox is on)
WAN TCP 8080 192.168.62.254(ext.: 77.47.40.227) 80 (HTTP)thats all
ciao gerd
-
Hey, it's easy, you mixed two things.
NAT is first, rules apply for the translated ports, and:
What is the source port of your office PC seen by pfSense when it tries to access it? It's originating from a natting firewall as well, isn't it?yna… <-
-
for 8080 to 80 port "issue" ? for rea screenshot you have to wait until tomorrow evening… (i'm not in the mood to startup vista right now and i'm still a "beginning beginner" with GIMP)
BTW: I have only one portforward rule... maybe bec. i use "Automatic outbound NAT rule generation (IPsec passthrough)" (checkbox is on)
WAN TCP 8080 192.168.62.254(ext.: 77.47.40.227) 80 (HTTP)For the NAT rule this looks good.
Now the firewall has to look something like:
Sourceport: any
SourceIP: any
Destinationport: 80
DestinationIP: 192.168.62.254 -
sorry 4 delay here are the screenshots
1st entry is regular forwarding from wan port 80 to linux server port 80 (this works)
2nd is portforward 8080 wan if to port 80 ip of the pfsense box
or is it possible thta http listen to port 80 and 8080 ?
-
2nd is portforward 8080 wan if to port 80 ip of the pfsense box
or is it possible thta http listen to port 80 and 8080 ?If you absolutely need your firewall accessible from WAN I'd prefer using HTTPS.
Set your pfSense to listen to HTTPS on 443 or any other port specified and forward/allow accordingly.
You can do so from System: General Setup tab. -
hmmm this is difficult… because i use port 443 tcp for openvpn (port 443 is the only which is accessible from inside our company to outside , except 80 and 8080)
So 80 is used for my linux server and 443 for openvpn => 8080 is the only option.
an option would be (maybe) to run webserver on pfsense on port 8080 but the my nagios complains about missing service :-)ciao gerd
-
Is your firewall located outside your company???
The port doesn't matter from within and you can NAT ext:8080 to int:443 anyway. -
:-) the firewall here is inside (they use something else) i'm talking about my firewall at home.
The point is that if i want to connect to my lan @ home i have to use port 443 because i'm not working for IT here :-) so i can't change it here (i'm a "normal" user inside our company.
OK you are right with NAT but thats exact i'm trying right now => i'm natting port ext:8080 to int:80 and this does not work (i get a timeout and telneting from outside to port 8080 gives me also ia timeout.ciao gerd
-
;-) Don't know why I should need to access my firewall at home while at work, but anyway…
How do you access your firewall when local? HTTP or HTTPS?
What's given at: System: General SetupwebGUI protocol HTTP HTTPS webGUI port Enter a custom port number for the webGUI above if you want to override the default (80 for HTTP, 443 for HTTPS). Changes will take effect immediately after save.
You have to use the same port to NAT to from external.
-
the reason why i wann have access to my home is… sometimes i'm out of the country and when wife/and kids have problem with a computer it's easier for me to fix it....
yes http is running on port 80 on the pfsense box.
i made a portforwarding from port 8080 on wan to 80 on pf sense box
other portforwards to my server are working....ciao gerd
-
If you can connect to your network via OpenVPN already why do you need WAN access to your firewall?
Can't you do this through the tunnel then, using the local LAN IP and HTTP port?Anyway, that's your personel choice and you will have reasons for it.
Your rules look fine and I can only guess what's holding you from a successfull connect.
Might be that an unencrypted connection is not supported (blocked) by pfSense for security reasons.
I would watch the logs (enable logging for that rule!) and try setting up the GUI for HTTPS, changing the rules accordingly.