(DUAL WAN) External access problems on WAN2
-
Hello, I can't access pfsense webconfigurator and none of the NATs work on WAN2.
WAN1 is pfsense's default gateway. If I change to WAN2 the same problem occurs on WAN1.
I have looked for a solution on advanced setting disabling "reply-to" and enabling gateway switching but no success.
Any ideas?
-
Anyone?
-
Not sure I understand what you're trying to do. If I follow correctly, you are trying to access the web configurator from the Internet using the WAN address?
If so, make sure your firewall rules allow traffic through for the web configurator port on the WAN2 interface.
As for NATs, make sure you have a NAT rule for both WAN1 and WAN2 from your source subnets (like LAN).
-
@Thale said in (DUAL WAN) External access problems on WAN2:
NATs, make sure you have a NAT rule for both WAN1 a
Hey Thale, thank you for your answer.
The rules and NATs are ok. And yes, I want to access the webconfigurator as well as NATs.
The thing is, I can only do so on the default firewall gateway WAN.
If the WAN2 is the default gateway I can access both webcfg and NATs on WAN2, not WAN1. And the same when WAN1 is the default gateway.
Concluding, I can onlyyaccess webcfg ant NATs on the ISP who is the firewalls default gateway.
-
You are going to need to provide more details- if you have public IPs and rules allowing traffic, you can access the webgui from either WAN. No need to change anything under advanced, no messing with the gateways. Are your WANs public and non-overlapping?
-
Silly question, but I assume you are accessing WAN web configuration via IP address and not domain name, right?
And dotdash is right, we need more information to provide better help.
-
@dotdash The NATs and rules are ok, as I said, I can access from both ISP, but not simultaneously, only by the one which is the firewall's default gateway.
I don't know how I can explain better. And they are not public IPs, they go through NAT.
Example:
WAN1: 10.1.1.1 (firewall's default gateway 10.1.1.2)
WAN2: 10.2.2.1
In this cenario I can access webcfg e internal hosts through NAT via WAN1, but not WAN2.
WAN1: 10.1.1.1
WAN2: 10.2.2.1 (firewall's default gateway 10.2.2.2)
In this cenario I can access webcfg e internal hosts through NAT via WAN2, but not WAN1.Got it?
-
@Thale I tried both, IP and dynamic DNS.
-
Why are your WANs 10.x addresses? Are you cascaded off another nat router? Are they from different providers? Using private addresses on your WAN is fundamentally the wrong way to do it.
-
Because that's how most of ISPs from Brazil do it for dynamic IPV4 links, the public IP is given only when it is static. They give you a router with Internet access and I DMZ to my firewall. That's not wrong and does not make a impact on this cenario. Yes, from different providers.
-
If your ISP is doing carrier grade nat you will have to get with them for traffic to be sent to your pfsense WAN IP..
Simple enough to do a sniff on the pfsense wan to validate traffic gets there... If it does, then its simple to enable web gui port access on your wan.. Any port forwarding would be same normal port forwarding.
But if your behind a carrier grade nat.. You need to validate traffic actually gets to pfsense. Pfsense can not answer or forward traffic it never sees.
-
@Rafa By Desse jeito você não consegue ver os IPs que batem na WAN do seu pfsense, tudo vem com o IP de origem do modem, configura o modem em modo bridge, e deixa o teu pfsense de cara pra rua.
Esse modo ai de por em DMZ é ruim sim, você por exemplo não vai conseguir fazer GeoIP block na tua WAN, e etc...Edit:
Vamos supor que tu tenha um servidor http ai, um apache por ex.
E queira permitir apenas acessos do Brasil, ou outro país sei lá...
Nem adianta tentar, pois teu pfsense só vai ver o IP do teu modem -
@Rafa said in (DUAL WAN) External access problems on WAN2:
That's not wrong and does not make a impact on this cenario. Yes, from different providers.
Just because the provider is doing it does not mean it's the right way. I'd also guess that it does have an impact, and you would not have these troubles if you were using a public IP.
-
@johnpoz said in (DUAL WAN) External access problems on WAN2:
if your behind a carrier grade nat.. You need to validate traffic actually gets to pfsense. Pfsense can not answer or forward
Guys, as I said before, I can access from both WANs, but not at the same time. I can only access through the WAN which is the firewalls default gateway. The WAN that is not the default gateway does not let me access, although logs says it accepts.
-
Just to verify- you do not have 'disable reply-to' under advanced, firewall checked? Also, the masks for your WAN interfaces are at least /15?
-
@dotdash It is not a ISP problem, I have a lot of clients working that way, but not this one. Eventually this happens, even with public ips on both WANs.
@mcury Dai bro, sim eu consigo, porque não sofre NAT para dentro, é roteado. Eu só consigo acessar externo, tanto o webcfg quanto host interno via NAT, pelo link que é a rota padrão do firewall.
Acompanhando os logs eu vejo bater nas duas WANs, mas só a que é a rota padrão eu consigo acessar.
O link que não é a rota padrão eu não consigo acessar, apesar de nos logs ele aceitar, sacou?
Isso ocorre em algumas instalações, essa eu consegui corrigir instalando uma versão mais antiga, mas ainda sim preciso de uma solução, visto que ocorre volta e meia.
-
@dotdash said in (DUAL WAN) External access problems on WAN2:
asks for your WAN interfaces are at le
Not checked. Masks are /24. This may not seem right to you, but it is normal here.
The ISP provides a router, which has the public IP on WAN. I connect my pfsense on the router's LAN port, which is a /24 network. Then apply DMZ to pfsense's WAN IP.
I undestand that's a lot to get external access and it is kind strange, but does not impact external access, just makes more hops. I ca not brigde the ISP router because it is their policy to work this way, we are tecnologically underdeveloped man, but it does not mean it is wrong.
-
Rafa, checa os logs, tenho certeza que não vai ter um IP externo acertando a WAN do seu pfsense.
Só a porta de destino vai ser a mesma.Você pode ter logs de saída, mas de entrada, tudo vai vir com o IP do modem.
Vai naquele canyouseeme.org, faz um teste qualquer, e olha lá na captura de pacotes, ou nos logs do Firewall.
Vai ficar com IP interno. -
Talvez você não tenha experiência em trabalhar desta forma, mas bate o ip externo sim, porque é roteado, não tem NAT pra dentro.
A NAT só ocorre na saída quando vai da LAN do modem para a Internet.
Eu vejo meu ip 187.x.x.x bater nas duas WANs, mas só uma acessa, a outra não, apesar de nos logs ele aceitar.
Pessoal aqui está muito focado em achar outros problemas em vez da solução, a situação é bem simples, tenho duas WANs, ambas com NAT e regra de liberação, nos logs tudo é aceito, só que eu não consigo acessar pela WAN2 (no caso a que não é a rota padrão do firewall).
-
@Rafa Bem, eu já trabalhei dessa forma com a Oi, e com a Net.
Ambas faziam NAT da DMZ para meu pfsense.Até eu reclamar, e trocarem os modems por modems que podiam fazer Bridge.