Enable internet access from LAN

johnpoz · Apr 5, 2020, 10:31 PM

@maale said in Enable internet access from LAN:

And how to reach that machine from the WAN?

You would never be able to resolve that from the WAN... It's not a public tld.. You mean some other local network that is just the wan of pfsense?

As to locally - just query your local dns and it would resaolve - if you actually set it up correctly.. That you get servfail tells me you didn't..

Here I will pretend my host is www.domain.av and its IP address 10.11.12.13 --- I create a host override with that..

If you want to access something from the internet - you would need to use a public resolvable name that points to your wan IP, and then port forward to whatever service you want to access on this server.

maale · Apr 5, 2020, 10:59 PM

@johnpoz
Thanks for the clarification.
Yes I mean some other local networks that is just the wan of pfsense. My WAN interface IP is 104.x.x.x( subnet 104.x.x.x/24, and my lan interface IP is 192.168.1.1, and LAN router is 192.168.1.1 so I have set an inside web sever with IP 192.168.1.5 and its hostname is www.domain.av. How can I make this server accessible from the other local networks?
And how to set the my local DNS correctly ? already I have set host names for each server in the /etc/hosts file

thanks in advance

johnpoz · Apr 5, 2020, 11:04 PM

@maale said in Enable internet access from LAN:

My WAN interface IP is 104.x.x.x( subnet 104.x.x.x/24

That is public space.. Where do these device point for dns? Again they would need to resolve your pfsense WAN IP via some fqdn.. Be it resolve in the dns they point to or publicly resolvable - or ok in their host file.

Now you would have to do a port forward..

Why do you have devices on public space that are local, but then have pfsense using rfc1918? You didn't just pull 104 out of thin air and start using it on your local network?

maale · Apr 5, 2020, 11:09 PM

This is a school lab

johnpoz · Apr 5, 2020, 11:27 PM

So pfsense wan IP is 104.x.x.y, for you to get to whatever is behind it when your also on the 104 network or anywhere on the wan side then you need to resolve whatever.domain.tld to this 104..x.x.y address... Be that public dns, be that some local dns you point to that resolves that for you, or host file on your machine.

Once you resolve that fqdn to that IP... Then setup port forward on pfsense.

https://docs.netgate.com/pfsense/en/latest/nat/forwarding-ports-with-pfsense.html

maale · Apr 5, 2020, 11:48 PM

@johnpoz
"then you need to resolve whatever.domain.tld to this 104..x.x.y address... Be that public dns, be that some local dns you point to that resolves that for you,"

So I have added host overrides to my local DNS resolver, does that can work?

johnpoz · Apr 6, 2020, 12:24 AM

And are you using the resolver - do your boxes on 104 even have access to pfsense wan IP on dns?

Show me your query.. You did a dig, a host you used nslookup - what.. Did you open udp/tcp on your wan for your clients on 104 to be able to query this 104.x.x.y address for dns?

stephenw10 · Apr 6, 2020, 2:24 AM

The port forwards, like the firewall rules, are parsed from the top down.

You have a rule that forwards port 443 to the LAN IP address (192.168.1.1) above the rule for 192.168.1.5 so nothing can ever hit that.

Please show us a current port-forward list if you have made changes since.

Steve

maale · Apr 6, 2020, 3:08 AM

@stephenw10
ok, This a query using dig while using the DNS resolver of pfsense

And this is WAN rules, and NAT

,
Those internal machines are virtual machines that I have built them behind the pfsense. Do I need also to build the external machines for the external IPs?
for the web and the email server?. I have built an external vm with and IP:104.x.x.z from this machine I can ping the pfsenseWAN address.

johnpoz · Apr 6, 2020, 9:58 AM

And how exactly is this 104 box doing a query to 192.168.1.1... Their default gateway is pfsene wan IP...

You show zero hits on any of your wan rules..

How about you draw up how you have this put together... Cause I don't see how devices on a 104 school network would be pointing to pfsense wan as their gateway.. Or how they would query a rfc1918 address for dns.

If anything would be a asymmetrical mess..

stephenw10 · Apr 6, 2020, 12:23 PM

Ok, the port forward rules and linked firewall rules look good though.

Where are you testing it from? What IP? I assume that 104.x.x.x IP is the schools external public IP, not the pfSense WAN?

Test from something on the pfSense WAN subnet to the pfSense WAN IP address directly and it should work.

Steve

johnpoz · Apr 6, 2020, 12:26 PM

According to him the 104.x.x.x/24 is his pfsense wan.. And yeah its his school network..

stephenw10 · Apr 6, 2020, 12:42 PM

Ah, yes. Ok then test from that subnet to the IP directly, with those rules it should connect.

maale · Apr 6, 2020, 4:36 PM

Thanks

Still doesnot work, I tested it from an external builted vm machine with IP 104.x.x.15 with gate way =104.x.x.254, although I can ping the external mail server address:104.x.x.35 but cannot connect to it!!!

could you please let me know what can be the problem?

johnpoz · Apr 6, 2020, 4:44 PM

There is all kinds of things that could be the the problem.. That just means your pinging something 104.x.x.35... Why would you think that would be your mail server if its behind pfsense, is that pfsense wan IP.

Which I doubt - since from you rules on your wan your not allowing to ping its wan ip.. Or any icmp even, so highly much doubt that is even psfense.. And sure isn't something behind it, etc. etc..

If you want help - I suggest you get with your teacher.. I'm not here to teach a class in basic networking, so you can get an A..

To troubleshoot port forwarding.
https://docs.netgate.com/pfsense/en/latest/nat/port-forward-troubleshooting.html

But again, from what you posted I highly doubt that .35 is even pfsense wan IP... Since you do not allow that on your wan interface - so you wouldn't get an answer if you pinged it..

stephenw10 · Apr 6, 2020, 5:18 PM

I agree. If you're genuinely testing from the WAN subnet and the pfSense WAN IP is 104.190.x.35 then your firewall rules should be blocking that ping.

So either you're pinging something else or you changed the rules since you last screenshot.

Steve

maale · Apr 6, 2020, 5:21 PM

@stephenw10
yes I have only changed the WAN rules to alow ICMP.
.
thanks

stephenw10 · Apr 6, 2020, 5:37 PM

Ok, what ports do you have in the web alias?

maale · Apr 6, 2020, 5:42 PM

@stephenw10

stephenw10 · Apr 6, 2020, 5:50 PM

Ok it looks like your port forward for that server is listing at 104.x.x.5 but you are trying to open 104.x.x.35.
Is that just a typo? Correct it if so.

If it's a VIP on the WAN then try to open that IP.

Steve