I've natted pfsense's web and ssh to another box



  • here's the setup:

    pfsense = 192.168.1.254

    web server 192.168.1.x
    ssh server 192.168.1.x

    i was trying to setup nat rules to allow me to type my domain name which redirects to the interface ip to go to my web server or ssh server. it does do this but if i try to access the web interface on 192.168.1.254 or ssh on .254, i get the servers, not the pfsense box.

    is there some way from the physical console that i can disable all nat or even all firewall rules so i can get back to the web interface and fix this?



  • You could potentially edit the config file(/conf/config.xml) and take out the NAT rule for the LAN interface that must have been created.
    It would look something like.
                    <rule><protocol>tcp</protocol>
                            <external-port>80</external-port>
                            <target>192.168.1.x</target>
                            <local-port>80</local-port>
                            <interface>lan</interface>
                            <descr>Web Server</descr></rule>

    Then restart and you should be good to go.



  • when i created the nat rules, I allowed it to automatically create the firewall rules. if i only change the nat rules, i'm not sure how it will work.

    while i was consoled in, i noticed the /conf/backup dir had lots of old configs from the previous day. sadly i had not set the time correctly so i had no idea when they were from. i did a factory reset as this box isn't in production yet.

    how should i get around this problem in the future? i want to reach my websever on port 80 and ssh to it using the external ip but i don't want to loose access to pfsense. the workaround with my current knowledge would be to use different ports for pfsense. is there a better option, such as a run saying not to nat traffic to the pfsense ip?



  • Why would you leave your FIREWALL (the box that is supposed to secure your network) with OPEN PUBLIC STANDARD Ports?

    Setup the WebGUI to something non-standard (tcp 10080) and only allow HTTPS and the same for SSH (tcp 10022).  Also you should ONLY allow your IP for the source address.  Better yet, don't allow ANY public access to your FIREWALL and use OpenVPN for remote admin tasks.



  • Deleting the NAT rules would stop the problem. The firewall rules aren't actually attached to the NAT rules in any way. Next time, don't setup any Port Forwards that are tied to the LAN interface. The only thing you want translated is when you try to access the WAN interface, not the LAN interface. That way you can still manage pfSense on your inside address, and access your web server and ssh server through the outside address.
    If you are going to be using your public address from inside the network, you need to uncheck the Disable NAT Reflection option under advanced to enable it.

    @vonskippy:

    Why would you leave your FIREWALL (the box that is supposed to secure your network) with OPEN PUBLIC STANDARD Ports?

    Setup the WebGUI to something non-standard (tcp 10080) and only allow HTTPS and the same for SSH (tcp 10022).  Also you should ONLY allow your IP for the source address.  Better yet, don't allow ANY public access to your FIREWALL and use OpenVPN for remote admin tasks.

    That's not what is happening here. He was just forwarding ports for a web server and an ssh server and got the NAT rules messed up so he couldn't administer his box from the inside.



  • thanks for the replies guys. I change the http and ssh port of pfsense and my port forwarding doesn't overlap anymore

    reflection is enabled and i can access my public ips from the inside as well as get to the pfsense box.

    for those of you wonder why i would want this - there are laptops on the inside hitting a mail and web server. when i take the laptops with me, i don't want to have to reconfigure my email client, let alone explain how to do it to family members.



  • Understandable. Another option is to use overrides in the DNS forwarder to return the inside address when clients lookup those DNS names inside the network.


Log in to reply