Unable to access a host on another subnet but can from pfSense [SOLVED]

lavito

Your pfsense lan2 IP is in your 192.168.1.1 right? And your just trying to do a source nat to the web gui running on 80, because the device your connecting to on 80 does not have a gateway set..

Exactly!!! This is a WiFi router working as AP only. I am trying to access its Web Config pages.

@johnpoz:

Would look like below.

I totally get what you are saying. Also, I did change the NAT port to 80 (non static), as you suggested, so it can change "ipA:portx" to " ipA:portY", however when I do this, I just cannot get trough to the AP's web interface.

I just cannot see how would the AP detect this and why your suggestion does not work.

When I change the NAT port to 80, I get following in the state log:

LAN1 tcp 192.168.0.3:52387 -> 192.168.1.2:80 CLOSED:SYN_SENT
LAN2 tcp 192.168.0.3:52387 -> 192.168.1.2:80 SYN_SENT:CLOSED

When it is static I get below - Although I see the source port also changing, strange :

LAN1 tcp 192.168.0.3:52469 -> 192.168.1.2:80 ESTABLISHED:ESTABLISHED
LAN2 tcp 192.168.1.1:52469 (192.168.0.3:52469) -> 192.168.1.2:80 ESTABLISHED:ESTABLISHED

johnpoz

Your post does not show a change in source port.. It's 52469 from the .0.3 box and when it gets forwarded from 1.1..

lavito

@johnpoz:

Your post does not show a change in source port.. It's 52469 from the .0.3 box and when it gets forwarded from 1.1..

OK, get it (was late :D). Still don't get why non static does not work.

johnpoz

No idea… Sniff the traffic to see what you get back from the syn that is sent.. My guess is your getting RST back from the device because there is a session open or something.

Did you try rebooting the AP?

Derelict

Giving you some bunk info messing up between outbound NAT and port forwards. Sorry.

Set it like this:

![Screen Shot 2017-11-11 at 7.29.43 AM.png](/public/imported_attachments/1/Screen Shot 2017-11-11 at 7.29.43 AM.png)
![Screen Shot 2017-11-11 at 7.29.43 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2017-11-11 at 7.29.43 AM.png_thumb)

johnpoz

Good catch Derelict.. This is outbound nat you wouldn't set the NAT.. That would be done automatic. You would do that with port forward inbound. But shouldn't it work anyway?

Derelict

That was effectively static port. I would expect that to work intermittently at best.

lavito

@Derelict:

Giving you some bunk info messing up between outbound NAT and port forwards. Sorry.

Great catch!

It now works ether way, when I set it as static or if I set it to any (non-static). I am now using (non-static)

Thank you!

lavito

@Derelict:

That was effectively static port. I would expect that to work intermittently at best.

I am trying to understand this statement, can you please go into a bit more detail to explain?
I.e. Why would you expect this to work intermittently?

Derelict

Because static port sets the NAT source port so it never changes.

That was effectively setting your source port to 80 and the dest port was 80.

You can only have one firewall state from ip_address_1:80 to ip_address_2:80. So even if the browser tried to open multiple connections to the AP's web interface the potential for them to fail was there.

With static source port the NAT (PAT really) will work around that by translating the source port to any available port in the NAT table.

You do not want or need static port here. Leave it off.

lavito

Thanks for the info and all the help. Cheers. 8)