Trouble with in-coming connection with multi-WAN (fail-over)

viragomann · Jun 24, 2021, 9:28 AM

@macusers
So you have an LTE router in front of pfSense and have to forward incoming packets to pfSense. Did you do that?

I thought I'd be able to assess the admin-GUI regardless of the active WAN as the dynamic-DNS is correctly setting up the the IP address for the host.

Basically it's not recommended to open access to the web configurator from the WAN!

MacUsers · Jun 24, 2021, 10:14 AM

@viragomann said in Trouble with in-coming connection with multi-WAN (fail-over):

Basically it's not recommended to open access to the web configurator from the WAN!

I don't completely agree with that but that's hardly the point. The entire AWS admin-console is opened in the WEB - does it mean your entire infrastructure is exposed? You just need proper access control.

Anyway, that besides the point - the point is incoming traffic is not coming through when failing over to the secondary WAN, hence I cannot VPN in, to access the admin-console. The direct access admin-console was just another example.

-San

MacUsers · Jun 24, 2021, 10:23 AM

@viragomann said in Trouble with in-coming connection with multi-WAN (fail-over):

So you have an LTE router in front of pfSense and have to forward incoming packets to pfSense. Did you do that?

Trying to understand what actually mean. The Cable and the LTE modem both connected to the pfSense as WAN1 and WAN2, in a fail-over Gateway group. In coming works fine when WAN1 (cable modem) is active with the current configuration but when it fails over to WAN2 (LTE modem) it stops working. Outgoing is always okay. What do I do from here?

-S

viragomann · Jun 24, 2021, 4:03 PM

@macusers
Again, you will have to forward the incoming traffic on the LTE router to pfSense WAN2. You still didn't mention, if you did something like that already.

On pfSense you can check if incoming packets are arriving on the WAN2 interface using Diagnostic > Packet Capture. But I'm in doubt.

If you have forwarded the traffic and still no joy, check if you have a real public IP on the LTE. Provides like to provide CGNs. If it's this, you're lost.
Also it's possible that the ISP is blocking incoming traffic.

MacUsers · Jun 24, 2021, 4:25 PM

@viragomann said in Trouble with in-coming connection with multi-WAN (fail-over):

Again, you will have to forward the incoming traffic on the LTE router to pfSense WAN2. You still didn't mention, if you did something like that already.

I don't think I did anything special for WAN2. My question I'm trying answer to myself: How it's working on WAN1, as I didn't do do anything for WAN1 either? Could you give me some pointers how do I do that?

my LTE does provide a real public IP address, which I can see is getting updated in my DNS record (during the failover) and also can so see the public-ip running host command on the DNS name.

viragomann · Jun 24, 2021, 6:12 PM

@macusers
As you stated above

When it fails over to the WAN2, i.e. dynamic public IP from the LTE provider (which is different than the WAN2 interface IP)

the LTE public IP is not the WAN2 IP on pfSense. So the LTE router in front does NAT.
You might get the packets on the LTE WAN address, but if they are not forwarded from the router to pfSense, you cannot reach anything for sure.

MacUsers · Jun 24, 2021, 7:05 PM

@viragomann said in Trouble with in-coming connection with multi-WAN (fail-over):

You might get the packets on the LTE WAN address, but if they are not forwarded from the router to pfSense, you cannot reach anything for sure.

I think I understood what you mean but LTE modem is running in bridge/IP-pass-through mode, so routing functionality is turned off. Which one is the router here?

Having said that though, now makes me thinking, how the WAN2 is getting an IP from 10.xx.xxx.xxx network, which changes with every reboot. I have to agree I don't understand mobile data-network very well.

-S

viragomann · Jun 24, 2021, 7:28 PM

@macusers said in Trouble with in-coming connection with multi-WAN (fail-over):

WAN2 is getting an IP from 10.xx.xxx.xxx network,

This is not a public IP, it's a private one. Look Private network.

No matter if the LTE is in bridge mode or not, your pfSense has not the public IP on its interface. Therefor incoming traffic have to be forwarded to it.
Maybe your ISP only provides a private network to you. So there is no possibility to get incoming connections from the internet, unless he forward it.

MacUsers · Jun 24, 2021, 8:26 PM

@viragomann said in Trouble with in-coming connection with multi-WAN (fail-over):

This is not a public IP, it's a private one. Look Private network.

I know that private IP and, hence my comment
Anyway, let me see if I can make it working with a forward rule.

-S

MacUsers · Jun 24, 2021, 10:30 PM

@viragomann said in Trouble with in-coming connection with multi-WAN (fail-over):

Therefor incoming traffic have to be forwarded to it.

I couldn't figure out how to forward the traffic from public facing dynamic IP to WAN2 interface IP. Could you possibly give me an example or some sample screen-shots pls?

-San

viragomann · Jun 25, 2021, 11:13 AM

@macusers
First of all, again check your internet-facing IP on the LTE router. If this is not a real public IP, your ISP provides only a private subnet to you and there is nothing you can do. You will not get any traffic from the internet to your router, cause this is controlled by the ISP.
In this case you can only use it for upstream connections.