Outbound works fine, but cannot make inbound connections

  • HI All,

    Im setting up a 4G connection into pfsense, the service is not behind a CGNAT device so I have a proper public/routable IP. This firewall also has a HFC/Cable connection, which works inbound/outbound just fine (WAN/LAN are the interface names)

    I can make outbound pfsense connections just fine using the 4G service, but not inbound. Ive defined an interfaced called 4GLTE, I've setup port forwards in the same manner as my working WAN port forwards, but I cannot get inbound traffic.


    A packet capture didnt show any data towards

    How am I best to determine why this is failing? the 4G SIM card is inside a Netgear LB2120 modem, set to bridge mode and I verify that my TELSTRA4GLTE interface is recieving the correct public ip.

    Here is the firewall ruile thats common between the WAN/TELSTRA4GLTE interface

    I have already tried removing the source IP range restrictions.



  • So i fixed this.

    Question though, my port forwards specify WAN. When the WAN fails and moves to the 4G interface, the NAT's won't work.

    Do I need to create new port forwards for the 4G interface using different inbound ports as theres no way to make the NAT interface ANY, or WAN and 4G at the same time.


  • @automate You should be able to "duplicate" your working WAN NAT rules, change them to the 4G interface, and run them alongside the WAN rules at the same time. I have never tried it like that, but it should work.


  • @akuma1x And this is exactly what I've done, I also did that for the NAT

    I assume I can run the same inbound port for the port forwards given the interface is different?

    ie: 6150 inbound on WAN maps to 3389 on LAN
    6150 inbound on 4G maps to 3389 on LAN

  • @automate

    How did you get a Telstra 4G connection that's not behind a CG NAT?

    My Netgear LB2120 always gets a 10.x.y.z address.

    BTW, I wouldn't port forward to 3389 (RDP). Much better to use a VPN.

  • How, use a business grade mobile broadband plan with a public IP.

    I've locked 3389 down. It's fine

  • Ah, business plan. Thanks.
    Didn't know you could opt for that. Is it a fixed IP?
    I'm looking for something to give me a fail-over once I'm forced on to NBN/HFC.

  • Yes, fixed/static :)

  • @automate

    Thanks again and, yes, no problem running the same port forwards on two interfaces.

  • Thanks ill give it a go.

    I had an initiation stab but it wouldn't work.

    I couldn't connect in, i need to check the routing... as the default may be via the WAN. So how would it route the traffic back via the 4G if it came in the 4G interface?

  • @automate

    If you've removed the source alias from both, your NAT and corresponding rule look OK to me.

    There was a problem with the LB2120 in bridge mode

    Are you on the latest LB2120 firmware?

Log in to reply