Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Access to Web Gui over ISP WAN Gateway - Rules,NAT?

    Scheduled Pinned Locked Moved Routing and Multi WAN
    6 Posts 4 Posters 885 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • guido_neumannG
      guido_neumann
      last edited by

      Hello,

      This might be a dummy question but i have the following situation:
      I have a XG1541 sitting in a Datacenter the ISP gave me a /30 subnet where .249 is the ISP Gateway and .250 is the IP of the XG1541.

      I gave the XG the .250 as static IP and added a .249 Gateway as Default.

      Now i try for setup and remote managment to make the XG available through WAN.
      I setup a Rule for SSH, HTTPS and ICMP(Ping) on WAN according to various How-tos and the Netgate Manual.

      But im not able to access or ping the XG. I can Ping the ISP Gateway on .249 but not the XG.
      NAT is set to Automatic as per default.
      I noticed that the Firewall rules on WAN dont show any traffic.
      Do i need some kind of routing or NAT?

      What am i doing wrong here?

      Best regards

      Guido

      1 Reply Last reply Reply Quote 0
      • kiokomanK
        kiokoman LAYER 8
        last edited by

        it is better to create a vpn tunnel and access ssh/webgui from there. do you really want to expose ssh / webgui of the pfsense on the internet?

        ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
        Please do not use chat/PM to ask for help
        we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
        Don't forget to Upvote with the 👍 button for any post you find to be helpful.

        guido_neumannG 1 Reply Last reply Reply Quote 0
        • guido_neumannG
          guido_neumann @kiokoman
          last edited by

          @kiokoman, i know and that is the plan.
          Right now i need direct access.
          Also if i can not configure access the Webinterface or SSH then then astabishing a tunnel doesnt work either...

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by johnpoz

            What are the rules on the wan you created... If they are not showing any hits and just the 0/0 means they never triggered. So either nothing actually got to pfsense wan on those ports. Or the rules are not correct for the traffic your trying to allow.

            There is nothing to do with nat or routing to get to service listening on pfsense wan, its just a simple allow rule to the wan address.

            Out of the box wan would be blocking bogon and rfc1918.. Is your source in those? Here is simple rule to allow ping to wan.

            allowping.png

            Do you have any rules in floating that would be evaluated before wan rules, that could be blocking what your wanting to allow.. Maybe something upstream is blocking the traffic before it even gets to pfsense?

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            guido_neumannG 1 Reply Last reply Reply Quote 1
            • guido_neumannG
              guido_neumann @johnpoz
              last edited by

              @johnpoz ![alt text](RTA Rules.JPG image url)

              Ok... looking at your example i realised that i probably mixxed up source and destination...i changed the ICMP and HTTPS Rule to Source=any Destination WAN Orbis1 and now i can ping and HTTPS.

              Just to complete the Post and the Info for others.
              The WAN Gateway is a proper Public IP (213.xxx.xxx) not privat

              I will setup a IPSEC Tunnel for Access look HTTPS and move SSH to another port

              I was sure it was something small and Stupid.
              Thx John it may be still early in the Day but so far you are my hero of the Day

              1 Reply Last reply Reply Quote 0
              • JeGrJ
                JeGr LAYER 8 Moderator
                last edited by

                @guido_neumann said in Access to Web Gui over ISP WAN Gateway - Rules,NAT?:

                Destination WAN Orbis1 and now i can ping and HTTPS.

                Destination would be "WAN_ORBIS1 Addr" or "This Firewall". Source should be any because of - you get it - the internet. Or even better, if you access that from a static IP (company etc.) then only allow this or another trusted IP. Much better than just allowing all.

                Don't forget to upvote 👍 those who kindly offered their time and brainpower to help you!

                If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

                1 Reply Last reply Reply Quote 1
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.