Port forward 80/443 issue on 2.6

luddite

Hi all, First time poster!

I am having a difficulty getting 80/443 port forwarded to a server port in my LAN. I get ERR_CONNECTION_TIMED_OUT.

I'll try to give as much information as possible so you don't all have to ask me 20 questions to understand the problem :-)

INTERNET: NBN DHCP Static IP by VDSL2 ipoe_ptm_0_0_d
MODEM: TPLINK ARCHER VR400 v3: 192.168.1.1 with DMZ for 192.168.1.2 (DHCP is on as turning it off stops the SG125 WAN port from accessing). I can't turn the modem to bridge mode which would be perfect and there is no PPPOE for my provider (only IPOE VDSL2 meaning that they use DHCP to allocate the static IP I lease from them at $5 p/m on top of my internet plan with them).

SOPHOS SG125 with PfSense 2.6 UFS Router: STATIC WAN IP 192.168.1.2
ADMIN: 192.168.1.1:88 (I can access the TPLINK Modem admin via the LAN)
MYSWITCH LAN PORTS: 192.168.0.50 - 192.168.0.254
LAN2: Nginx-Proxy-Manager (Intel NUC with OMV + Docker and static LAN IP): 192:168.0.2
DVR: 192.168.3.6

Everything is set up and working nicely. Below are my firewall settings. I cant seem to see what is wrong.

Please note: The domain name I am pointing to my Static IP was working with Nginx-Proxy-Manager before I installed the SG125 with pfSense.

SG125 Port Panel

** pfSense Settings Screen**

Interface screen

Firewall port forward screen

Firewall WAN screen

Firewall LAN screen

Firewall LAN2 screen

Firewall DVR screen PROBLEM: I want to access this from LAN IP range but block it from accessing the LAN IP range incase it gets hacked.

Thanks for reading! If you need anymore info then I will gladly provide.

stephenw10

Welcome to the forum!

Your currently disabled port forward will not work because it has a source port set.
The source port is usually some random high numbered port, it should be set to 'any' there.

If you want to forward from standard https (443) to 4443, the destination port should be 443 and the NAT port 4443.

You don't need any firewall rules on the DVR interface if you only need access to it. The only rules that have to be there are to allow it to connect out for DNS or NTP maybe.

Steve

luddite

@stephenw10 Thanks for the reply and astute eye. Yes - I disabled as they weren't working but will try your suggestions now.

luddite

@luddite

Hello @stephenw10 - I made those changes but still no outside access..

Do I need to remove these below?

DVR: That makes perfect sense! Thank you!!!!

luddite

@luddite im getting error log entries now!! Yay

luddite

@stephenw10 im getting error log entries now!! Yay

So - I made a easy entry rule from the firewall error log. That showed me the issue straight away. Everything is perfect now!

To wrap this up. I needed 1 port forward and 1 WAN rule.

Thank-you!!!

stephenw10

Ah, good to hear.
Normally the firewall rule is auto-created when you create the port forward and linked to it so it changes if you change the forward. You can change that behaviour though which is looks like you did.

Steve

luddite

@stephenw10 I cant recall changing it but at least I understand how this section works now. Ive backed up my config. Next I move onto mounting my hardware property and then vpn .