Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Just getting started question

    Scheduled Pinned Locked Moved General pfSense Questions
    6 Posts 3 Posters 790 Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M Offline
      mgideon
      last edited by

      This might be a NAT question but I'm not sure I have everything set up right. I'm VERY new to pfSense and just set up a lab in VMWare.

      I have 3 VMs

      1. pfSense with 2 NICS. and DHCP running pool (192.138.2.10-200)
        WAN (em0) DHCP pulling from my LAN -getting192.168.1.68/24
        LAN (em1) Static 192.168.2.1/24 (on VMWare LanSegment "Lab"
      2. Windows DHCP from pfSense 192.168.2.50 running IIS on "Lab"
      3. Kali DHCP from pfSense 192.168.2.51 running SSH server on "Lab"

      Windows and Kali can ping the real world. I can access IIS from Kali and SSH Kali from windows.

      I wanted to open SSH to my Kali and 80 to IIS from my pfSense WAN to LAN so I created 2 NAT rules

      1. NAT for Win7 Website
        Interface: WAN
        Protocol: TCP
        Destination: LAN Address
        Dest port from HTTP to HTTP
        Redirect IP 192.168.2.50
        Redirect port HTTP
        -- and "Add associated filter rule" which I think means make the Firewall rule automatically.

      2. SSH to Kali
        Interface: WAN
        Protocol: TCP
        Destination: LAN Address
        Dest port from SSH to SSH
        Redirect IP 192.168.2.51
        Redirect port SSH
        & "Add associated filter rule"

      The 2 automatic firewall rules look right
      Pass, WAN, TCP, any, 192.168.2.50 HTTP HTTP
      Pass, WAN, TCP, any, 192.168.2.51 22, 22

      From the WAN interface (my home network) I can not access IIS on 192.168.1.68 or SSH on 192.168.1.68

      pfSense Test port from WAN to 192.168.2.51 22 fails.

      The firewall system log is confusing. I don't see anything from my desktop 192.168.1.36 (the machine that has VMWare running).
      I do keep seeing over and over WAN 192.168.1.99:##### which is the last address of my home network LAN DCHP pool??

      Did I miss something? Is there some logging I'm missing or need to turn on?

      Thanks for any input or feedback.

      Mike

      stephenw10S GertjanG 2 Replies Last reply Reply Quote 0
      • stephenw10S Offline
        stephenw10 Netgate Administrator @mgideon
        last edited by

        The destination on the port forwards should be the WAN address (or a VIP in WAN).

        You will then access the internal resources using the pfSense WAN IP from the WAN side subnet.

        Steve

        M 1 Reply Last reply Reply Quote 0
        • M Offline
          mgideon @stephenw10
          last edited by

          @stephenw10 That makes sense. But it still does not work. Just to be safe, I built an entire new lab on my work machine. Same thing.

          I turned on logging for the firewall rule that was automatically generated by this NAT rule. I then tried to access the Linux box over SSH the connection times out but there are no logs relating to this event.

          I found this troubleshooting guide:
          https://docs.netgate.com/pfsense/en/latest/troubleshooting/nat-port-forwards.html

          tried enabling NAT reflection. No change.
          Checked the states - none listed.
          Did a packet capture and when sourcing the WAN interface and port 22, got no results. To be thorough I watched the LAN side and tried again. Nothing.
          So I did a tcpdump, tried again but don't see anything when I filter on port 22. I'm using putty to ssh from my host. I'm at a loss, but it looks more like an issue with VMWare.

          I'm going to build a mini PC and try this with physical hardware.

          Mike

          1 Reply Last reply Reply Quote 0
          • GertjanG Online
            Gertjan @mgideon
            last edited by Gertjan

            @mgideon said in Just getting started question:

            DHCP pulling from my LAN -getting192.168.1.68/24

            So, implicity, I say : you have also an upstream ISP router. The one from where pfSense is pulling the RFC1918 IP 192.168.1.68/24 'WAN' IP. Pretty sure that your ISP doesn't give you such an IP.

            What about the NAT rules in that upstream router ?

            @mgideon said in Just getting started question:

            80 to IIS

            Not related but : port 80 web serving exists for local debugging at best.
            The Internet shifted to port 443. Also known as 'https'.
            You'll see : in the nearby future browsers start to warn and refuse port 80 (http) requests.
            ..... and then the yell that the cert proposed by the web server is signed by a known guy .... admins keep on learning forever ...

            No "help me" PM's please. Use the forum, the community will thank you.
            Edit : and where are the logs ??

            M 1 Reply Last reply Reply Quote 0
            • stephenw10S Offline
              stephenw10 Netgate Administrator
              last edited by

              If you don't see traffic arriving on the WAN to port 22 in a pcap then it's never going to work. That means either the client is not sending it or it's being filtered in the hypervisor as you suggested.

              Steve

              1 Reply Last reply Reply Quote 0
              • M Offline
                mgideon @Gertjan
                last edited by

                @gertjan This is a all in VMWare on my home PC. I do have a DHCP server at my house. This is where the 192.168.1.68 for my WAN interface is coming from.

                Thanks for the information on SSL/TSL. I picked 80 because it is just a internal VM and it was easy to setup by installing IIS on one of those VMs.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.