Unable to route port based routing from WAN to LAN



  • Hi,

    I currently have a situation where I need mobile devices to hit the WAN interface, and then route any traffic on port 10100 to the LAN interface, so it can traverse my LAN network to a VPN tunnel so it can access a device on a cloud network at 192.168.200.70

    I know I can communicate from the LAN interface to the VPN tunnel on the LAN network, but I am having problems getting the WAN traffic to route based on the port configuration.  It keeps trying to go out the WAN gateway, and doesn't hit the correct location.

    Firewall rules, static route config, and Trace Routes are attached.

    Any ideas on what could be preventing it from going out the correct interface?  I honestly don't get why the PFSense isn't handing the traffic over to the LAN interface, hoping you guys can see what I messed up.

    ![LAN Firewall Rules.PNG](/public/imported_attachments/1/LAN Firewall Rules.PNG)
    ![LAN Firewall Rules.PNG_thumb](/public/imported_attachments/1/LAN Firewall Rules.PNG_thumb)




    ![WAN Firewall Rule.PNG](/public/imported_attachments/1/WAN Firewall Rule.PNG)
    ![WAN Firewall Rule.PNG_thumb](/public/imported_attachments/1/WAN Firewall Rule.PNG_thumb)
    ![WAN Traceroute.PNG](/public/imported_attachments/1/WAN Traceroute.PNG)
    ![WAN Traceroute.PNG_thumb](/public/imported_attachments/1/WAN Traceroute.PNG_thumb)



  • I have the same issue, on a simpler setup.

    Traffic coming IN the WAN interface is not routing correctly. It goes to the default gateway, rather than following the routing table and going to a openvpn route.

    I don't want to NAT incoming on the WAN interface, just route, as the pfSense box is buried within a local network.

    There must be a simple setting to say route not NAT on wan?



  • I am glad to see I am not the only one having this issue.

    Did you ever find a solution?



  • OP, I think you got everything wrong, your configuration does not really make much sense.

    If I understand correctly you have another gateway on your LAN that is used to access this remote service, and you want to receive incoming connections on your WAN and direct them to this remote service, right?

    This cannot be done with just routing, you need to do NAT at some point. Forget about everything you did. A simple port forward towards the remote service IP should work if the default route on your remote service system is also this pfSense box. If it is not, you also need some extra NAT to change the source IP of the incoming packet to the one of the pfSense box (so it knows how to route back the answer)

    This is not the same issue as mcdiesel posted. If you want to disable NAT on an interface, change the Outbound NAT settings to Manual and delete the appropriate rules.



  • Thanks for the advice, however I just gave that a shot, and it seems to still be routing the traffic back over the WAN interface when doing a traceroute to the remote IP.

    Any other advice you can offer, would be awesome.

    @georgeman:

    OP, I think you got everything wrong, your configuration does not really make much sense.

    If I understand correctly you have another gateway on your LAN that is used to access this remote service, and you want to receive incoming connections on your WAN and direct them to this remote service, right?

    This cannot be done with just routing, you need to do NAT at some point. Forget about everything you did. A simple port forward towards the remote service IP should work if the default route on your remote service system is also this pfSense box. If it is not, you also need some extra NAT to change the source IP of the incoming packet to the one of the pfSense box (so it knows how to route back the answer)

    This is not the same issue as mcdiesel posted. If you want to disable NAT on an interface, change the Outbound NAT settings to Manual and delete the appropriate rules.



  • No no, forget about routing! You cannot just route from the internet towards a private internal IP. Tracerouting from the WAN interface of pfSense does not make any sense at all, of course it will always try to send it to the internet.

    I suggest you go back to the drawing board and think carefully what you want to achieve. If you want, make a diagram and post exactly what you want to achieve, I can help you