Port forwarding in double NAT situation

DJBenson

I currently have a dual WAN setup with two independent fibre broadband lines in a load balanced/failover configuration. I have just bought a Huawei 4G router which has WLAN and a single ethernet port so I decided to chuck that into the mix to for a bit of redundancy which did not depend on copper telephone lines.

After some struggle, I got outbound working so I can now browse over the 4G network from any machine on my network, but I would like to get inbound working so that if the copper network is down, I still have a way to remotely access my network.

The setup is thus;

Huawei B310s-22 - Gateway/web UI IP = 192.168.0.1 / LAN IP 192.168.0.2
pfSense - Gateway/web UI IP = 192.168.1.1

I have disabled as many firewall features as possible on the router, as well as DHCP, and have configured the 192.168.0.2 address as the DMZ address. Now as I understand it, that will dump all traffic received onto the router's WAN port to the 192.168.0.2 address in pfSense, right?

This is where I am at a loss. I had assumed that I could simply replicate my existing WAN1/WAN2 configuration and simply change the adapter, gateway and other interface-specific settings, but that seems not to work.

So, how for example, do I accept connections to say ports 80 and 443 on the 4G connection, and get them to hit internal services. If it helps, the local IP which hosts these services is on the 192.168.1.0 network.

The end situation is (I believe) 80/443 -> Huawei Modem -> pfSense 192.168.0.0 network -> pfSense LAN (192.168.1.0) but I'm at a loss which rules are needed and where to achieve this.

JKnott

If your 4G provider is delivering RFC 1918 addresses, then you will never get it to work, as you'll have no idea what your public address is, nor will you be able to set up port forwarding to your network.  You need a public address to at least your firewall/router, to do what you want.

DJBenson

The 4G router has the IP address 31.97.8.XX on it's WAN port (shown in both the router web UI and also via various "what is my IP"-type sites) if that answers your question.

nycfly

I tried to do this and realized that the wireless carrier employed NAT so my USB modem didn't have a publicly routable IP address. Perhaps the carrier offers a different APN that would give me a public IP address but I didn't bother to check. Even if you do get a public IP address the carrier may block incoming connections. So before worrying about the pfSense config, I recommend validating your wireless device has a public IP address that allows incoming connections.

nycfly

@DJBenson:

The 4G router has the IP address 31.97.8.XX on it's WAN port (shown in both the router web UI and also via various "what is my IP"-type sites) if that answers your question.

Have you tried forwarding a port in the 4G router's config and checking (e.g. with nmap or on canyouseeme.org) to see if the port is open?

DJBenson

@nycfly:

I tried to do this and realized that the wireless carrier employed NAT so my USB modem didn't have a publicly routable IP address. Perhaps the carrier offers a different APN that would give me a public IP address but I didn't bother to check. Even if you do get a public IP address the carrier may block incoming connections. So before worrying about the pfSense config, I recommend validating your wireless device has a public IP address that allows incoming connections.

Yep - I was just posting something similar when the baby woke up for like the 10th time tonight!

EE in the UK (and I suspect most carriers) employ carrier grade NAT so it's impossible to port-forward as there could be tens, hundreds or thousands of users with that public IP.

Oh well, scrap that idea.

DJBenson

@nycfly:

@DJBenson:

The 4G router has the IP address 31.97.8.XX on it's WAN port (shown in both the router web UI and also via various "what is my IP"-type sites) if that answers your question.

Have you tried forwarding a port in the 4G router's config and checking (e.g. with nmap or on canyouseeme.org) to see if the port is open?

I currently have port 80 and 442 forwarded to 192.168.0.2 (the only other IP on that network) and the ports show as closed (but then again there are no services running on that IP to accept those ports - wouldn't that make them show up as closed?)

JKnott

@DJBenson:

The 4G router has the IP address 31.97.8.XX on it's WAN port (shown in both the router web UI and also via various "what is my IP"-type sites) if that answers your question.

What happens if you check your IP address at www.grc.com?  Is it still that address?  My own cell carrier, before they switched to IPv6, used an address that appeared to belong in England (I'm in Canada), but it was different than what www.grc.com showed.

EE in the UK (and I suspect most carriers) employ carrier grade NAT so it's impossible to port-forward as there could be tens, hundreds or thousands of users with that public IP.

In Canada that's generally true too.  However, there are some instances when public addresses are used.  I have set up several systems where the main connection was via ADSL or cable modem, but had a backup via the cell network.  One major customer for this was Starbucks, but I've also set up some Tim Horton's locations too.

nycfly

@DJBenson:

I currently have port 80 and 442 forwarded to 192.168.0.2 (the only other IP on that network) and the ports show as closed (but then again there are no services running on that IP to accept those ports - wouldn't that make them show up as closed?)

I believe it should show as open once it's forwarded regardless of whether something is listening or not.

johnpoz

@nycfly:

I believe it should show as open once it's forwarded regardless of whether something is listening or not.

No how can something show as open if nothing is there to answer the syn?  If forward ports to something that is not listening it will show closed.  You can show yourself this by just forwarding something, and then turning that something off and leaving the forward.

So here forward to 80.. on my 192.168.9.100 box… I forward 80, but nothing listening - fail, I thin fire up hfs so its listening on 80 - success.  It then turn hfs off so not listening back to fail.. Even though the port forward is there.

Depending you might get an actual reject from your client saying hey nothing here on that port.. Or it might just drop it quietly depending on the OS your sending the traffic too and its configuration... You notice got a actual connection refused on my test, because one was sent..

See the sniff.. 2nd pic where 80 came in and sent back RST.. It is normally better to just quiet drop.. But this is windows machine and not sure where to set that - looking into it now ;)

edit:  Ok so now there is no RST sent (3rd pic), because I turned on the host firewall and 80 is not allowed, so the firewall prevents the RST from being sent.. But you can see my host got the packets, just not answered with RST since not listening..  be it you get a RST or not when sent to a non listening port would come down to what OS your sending to, if firewall etc. etc. OS settings.. But just the ack of opening a port on pfsense to something that is not listening on that port is not going to show it open that is for sure.  For it to show open it would have to get a syn,ack to its syn.