Access to Web Gui over ISP WAN Gateway - Rules,NAT?

guido_neumann

Hello,

This might be a dummy question but i have the following situation:
I have a XG1541 sitting in a Datacenter the ISP gave me a /30 subnet where .249 is the ISP Gateway and .250 is the IP of the XG1541.

I gave the XG the .250 as static IP and added a .249 Gateway as Default.

Now i try for setup and remote managment to make the XG available through WAN.
I setup a Rule for SSH, HTTPS and ICMP(Ping) on WAN according to various How-tos and the Netgate Manual.

But im not able to access or ping the XG. I can Ping the ISP Gateway on .249 but not the XG.
NAT is set to Automatic as per default.
I noticed that the Firewall rules on WAN dont show any traffic.
Do i need some kind of routing or NAT?

What am i doing wrong here?

Best regards

Guido

kiokoman

it is better to create a vpn tunnel and access ssh/webgui from there. do you really want to expose ssh / webgui of the pfsense on the internet?

guido_neumann

@kiokoman, i know and that is the plan.
Right now i need direct access.
Also if i can not configure access the Webinterface or SSH then then astabishing a tunnel doesnt work either...

johnpoz

What are the rules on the wan you created... If they are not showing any hits and just the 0/0 means they never triggered. So either nothing actually got to pfsense wan on those ports. Or the rules are not correct for the traffic your trying to allow.

There is nothing to do with nat or routing to get to service listening on pfsense wan, its just a simple allow rule to the wan address.

Out of the box wan would be blocking bogon and rfc1918.. Is your source in those? Here is simple rule to allow ping to wan.

Do you have any rules in floating that would be evaluated before wan rules, that could be blocking what your wanting to allow.. Maybe something upstream is blocking the traffic before it even gets to pfsense?

guido_neumann

@johnpoz ![alt text]( RTA Rules.JPG image url)

Ok... looking at your example i realised that i probably mixxed up source and destination...i changed the ICMP and HTTPS Rule to Source=any Destination WAN Orbis1 and now i can ping and HTTPS.

Just to complete the Post and the Info for others.
The WAN Gateway is a proper Public IP (213.xxx.xxx) not privat

I will setup a IPSEC Tunnel for Access look HTTPS and move SSH to another port

I was sure it was something small and Stupid.
Thx John it may be still early in the Day but so far you are my hero of the Day

JeGr

@guido_neumann said in Access to Web Gui over ISP WAN Gateway - Rules,NAT?:

Destination WAN Orbis1 and now i can ping and HTTPS.

Destination would be "WAN_ORBIS1 Addr" or "This Firewall". Source should be any because of - you get it - the internet. Or even better, if you access that from a static IP (company etc.) then only allow this or another trusted IP. Much better than just allowing all.