How to connect to opt1 from wan side to access server on other network



  • So one of our clients has a network with a ip range of 10.10.10.x/8 .on that network we have our servers.
    We jsut put our firewall on the otherodem en configured it. when we change the lan ip to the other client ip and turn off dchp lan.we can't connect to it from outside.
    so we decided to configure a lan side and a opt1 for the client side to access our server on their network.

    problem is: when we vpn or forward wan side port to the opt1 interface to access our server on their network it doesn't work.
    we set the rules allow all and forwarded the port but still nothing.

    what could  be the problem.
    wan side: 192.168.1.x/24
    lan side :172.16.0.x/24 -> lan side is enabled but not connectedd on their network
    opt1 side: 10.10.10.x/8.

    we only need our firewall to access our server on their network.

    what could be the problem or what re we doing wrong



  • Are you trying to forward the same port that the pfSense WebGUI is listening on?



  • no we use another port to listen on our server. we have a port that we use for webgui pfsense.

    Here are some pictures of our configuration

    the 10.10.10.216 that is our server on the clients network that we want to acess





    ![Capture3 - Copy.JPG](/public/imported_attachments/1/Capture3 - Copy.JPG)
    ![Capture3 - Copy.JPG_thumb](/public/imported_attachments/1/Capture3 - Copy.JPG_thumb)




  • Rebel Alliance Global Moderator

    Clearly you have no understanding at all of how the rules are evaluated.

    Or how basic networks even work… In what scenario would pfsense be involved with lan net to lan net traffic??

    In what scenario would your IPv6 lan address be the source of traffic hitting the lan?

    Your wan has rules to allow any any into your lan at the very top - dude!!!  Remove such rules.!!!

    In what scenario would you be natting source traffic of 172.16.0/24 to dest 172.16.0/24 to the wan address?

    Rules are evaluated as traffic enters an interface.  First rule to trigger wins, no other rules are evaluated..

    You have an complete and utter MESS there...  I would suggest you start over!!!



  • oke but the problem is the from the lan side we can't go to the opt1 side.

    Thats why i psted the screenshot to see if one of the rules is wrong.

    This is the first time we have to configure such a thing. normally our firewall does everything when we install it. but because the client already has a firewall and doesn't want our firewall to connect to their network and mess up their configuration. but the problem is the moment we put the ip from our client on the lan side and disable dhcp. we cannot connect to ur firewall anymore thats why we use the opt1 interface


  • Rebel Alliance Global Moderator

    doing what? to opt1 you only have TCP allowed.. So you would not be able to ping, etc.

    And you have your outbound nats all F'd up!!!  And your natting to opt1..

    Start OVER!!!  Don't just start clicking shit…

    Your default rule on lan is any any... So if you create an opt interface you would be able to get to it.  Nothing to do on opt1 rules to let lan talk to it.

    Create any any rule on opt1 and now you will be able to talk lan to opt an opt to lan... Then ask what you would like to do and be happy to walk you through it.

    And our also shoving stuff out a vpn it looks like vs policy routing it out, with rules to allow access to your opt before you shove everything out your vpn via default route, etc.  Why do you have a rule to PIA in your outbound nat - but looks only partial.. Dude Start OVER!!!



  • @eliotte:

    but because the client already has a firewall and doesn't want our firewall to connect to their network and mess up their configuration.

    Wise move from that client.



  • thanx for the information. i will start from beginning and let you know how it goes



  • So i did everything again.

    i can ping the opt1 interface from the lan side with the pfsense.but from the pfsense i can't the server from the opt1 interface.

    opt1 interface ip: 10.10.10.249
    server ip: 10.10.10.216

    what am i doing wrong.  firtst time i have to do such a setup that why.


  • Rebel Alliance Global Moderator

    Well is that server running a firewall.. Windows machine for example will not answer ping from other than is local network.  Is that box using opt1 IP as its gateway.. If not then how would the answer get back.



  • So we got everything working fine. When we use vpn we can connect to our server on opt1 and everything.

    But now we want to get external access to our server using the opt1 interface.

    But when we forward the port it doesn't work.

    we want to forward a port to our server that is n opt1 interface.

    example: external ip:poort x ->to our server that is connected to the opt1 interface