Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    LAN cannot access WAN public IP

    Scheduled Pinned Locked Moved NAT
    14 Posts 3 Posters 1.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      rjsantiago21
      last edited by

      Hi All,

      I can ping my WAN public IP both in WLAN and LAN, but I cannot access it using browser. But outside LAN and WLAN, I can access my public IP.

      1 Reply Last reply Reply Quote 0
      • H
        hungkh
        last edited by

        Was you config outbound NAT?
        Firewall -> NAT -> Outbound -> Check "Automatic outbound NAT rule generation (IPsec passthrough included)"

        1 Reply Last reply Reply Quote 0
        • R
          rjsantiago21
          last edited by

          Configuration is manual outbound NAT (AON). I can use it before but when I restore the configuration I cannot access my WAN IP.

          I try all NAT settings. Can you help me enumerate your settings.

          1 Reply Last reply Reply Quote 0
          • R
            rjsantiago21
            last edited by

            I set it to automatic and why still no luck at all. And no gateways to my LAN and WLAN

            1 Reply Last reply Reply Quote 0
            • R
              rjsantiago21
              last edited by

              I know this problem was brought up by others before. When I have a problem with my pfsense box I messed up and restore the old backup config file. After restoration my pfsense went back at normal but this issue still cannot resolve. I already done all. Please see attached image files.

              PFSense2.png
              PFSense2.png_thumb
              PFSense1.png
              PFSense1.png_thumb

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by

                can access your wan public IP from outside?

                Please post your firewall rules.. Wan, lan and your wlan - you say you can ping your wan IP.. But you can not access the web gui?  Is that what you mean by access?

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • R
                  rjsantiago21
                  last edited by

                  I can access my WAN outside. Yes i can ping my WAN IP inside but i cannot access its web GUI.

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator
                    last edited by

                    So please post your rules for your wan and your lan side interfaces.

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    1 Reply Last reply Reply Quote 0
                    • R
                      rjsantiago21
                      last edited by

                      Please see attached image file. I even tried to set the rules to "any" "any" as shown in image but still no luck.

                      PFSense3.png
                      PFSense3.png_thumb
                      PFSense4.png
                      PFSense4.png_thumb

                      1 Reply Last reply Reply Quote 0
                      • R
                        rjsantiago21
                        last edited by

                        Kindly check the diagnostic status states that shown in image.

                        PFSense5.png
                        PFSense5.png_thumb

                        1 Reply Last reply Reply Quote 0
                        • johnpozJ
                          johnpoz LAYER 8 Global Moderator
                          last edited by

                          you have a ANY ANY Rule on the top of your wan rules - so NO shit you can access your web gui from internet ;)

                          And then you have an any any rule on the top of your LAN right underneath the antilockout… So all of those rules below are completely utterly pointless!!

                          What rules do you have in floating?  And what is your outbound nat?

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          SG-4860 24.11 | Lab VMs 2.8, 24.11

                          1 Reply Last reply Reply Quote 0
                          • R
                            rjsantiago21
                            last edited by

                            Thank you for your response. This issue is now solved. Important rule in not port forwarding. We should enable the NAT reflection. It's my fault because I focus on outbound NAT.

                            1 Reply Last reply Reply Quote 0
                            • johnpozJ
                              johnpoz LAYER 8 Global Moderator
                              last edited by

                              "We should enable the NAT reflection"

                              No not really… Its an abomination if you ask me!  There is like zero reason other than bad design or laziness that nat reflection should be needed.. You have a server on the local network serving up some service..  Why in the world should not just resolve whatever FQDN you want to use to the local IP, so you do not have to be reflected back..

                              Now if whatever your using is hard coded to this public IP - then ok, but that is just bad design...

                              You want to use something.publicdomain.tld that resolves to public IP (your wan) then just create a host override so something.publicdomain.tld resolves to the rfc1918 address and never has to be reflected back in..

                              An intelligent man is sometimes forced to be drunk to spend time with his fools
                              If you get confused: Listen to the Music Play
                              Please don't Chat/PM me for help, unless mod related
                              SG-4860 24.11 | Lab VMs 2.8, 24.11

                              1 Reply Last reply Reply Quote 0
                              • R
                                rjsantiago21
                                last edited by

                                Hi there,

                                Here I am again, one of my remote site with the same scenario. It can ping the WAN but it cannot access the web gui.

                                All are solve but this remote site still cannot acess.

                                1 Reply Last reply Reply Quote 0
                                • First post
                                  Last post
                                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.