Cannot access Netgate 6100 over the WAN IP via my usual management NAT rule
-
I have several 3100s running around the UK and normally access them using site 2 site VPN link. I do have a backup option though for accessing them in case the VPN tunnel was down. This is done via the NAT and associated WAN rules, where any TCP traffic coming from a list of trusted public IPs, hitting the destination firewall WAN address over HTTPS gets redirected to the host LAN address, again over HTTPS.
The above has worked a treat for years but now I am in a process of setting up a shiny new 6100 with pfsense+ 23.01 and for some reason I cannot do this.
-
@morgenstern
I'm wondering what you're trying to forward here. VNC, RDP, Webservice? -
@viragomann Just trying to access the webgui of my 6100 over the WAN interface.
It works on my other firewalls. Accessing them via their public IP. Just not this one.
-
@morgenstern
You wrote above, you redirect it from WAN to the host LAN address. So I'm wondering what the redirect target address is. Another WAN IP? -
@morgenstern If the client is not running a web server you can just allow port 443 to WAN Address from your management IP directly and not use NAT. For clients who do/did have a web/Exchange server we do use NAT but then use a different port like 50443 redirecting to the LAN IP:443.
Is there any chance the ISP is blocking port 443? Or maybe, is the WAN IP behind the ISP router's NAT (set it as the ISP router DMZ) or CGNAT where the request isn't being passed in?
Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
Upvote ๐ helpful posts! -
@viragomann It's the LAN address of the same unit
-
@steveits There won't be any other services running from behind that unit for a while. The reson I wanted to set it up this way was that I wanted to access it remotely rather than having to be plugged directly into it.
It's connected to a brand new business leased line from an ISP I have not used before. A UK company operating on the OpenReach network. Do you reckon they may actually be doing some firewalling on their end?
-
@morgenstern
So what is the sense of forwarding it? That doesn't it even more secure.
Simply allow access to the WAN from the certain source IPs. -
@viragomann I originally copied that approach from a contractor that had set it up that way for us a few years back. I never thought to try and simplify it when it worked... :)
-
@morgenstern If it's a consumer grade account I could definitely see them blocking server connections. If it's CGNAT (100.64.0.0/10 subnet) like Starlink uses for IPv4 then it isn't going to work for any inbound connection...try IPv6 if they provide that.
Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
Upvote ๐ helpful posts! -
Deleted the NAT rule and just added this WAN rule instead but no joy
-
@steveits said in Cannot access Netgate 6100 over the WAN IP via my usual management NAT rule:
@morgenstern If it's a consumer grade account I could definitely see them blocking server connections. If it's CGNAT (100.64.0.0/10 subnet) like Starlink uses for IPv4 then it isn't going to work for any inbound connection...try IPv6 if they provide that.
I guess I may have to speak to them. How would I establish whether it's this CGNAT? Is it a common thing nowadays?
-
It's a /29 network by the way
-
-
@viragomann said in Cannot access Netgate 6100 over the WAN IP via my usual management NAT rule:
@morgenstern
https://en.wikipedia.org/wiki/Carrier-grade_NAThttps://en.wikipedia.org/wiki/Private_network#Private_IPv4_addresses
Ah yeah, I see what you mean:
In April 2012, IANA allocated the block 100.64.0.0/10 (100.64.0.0 to 100.127.255.255, netmask 255.192.0.0) for use in carrier-grade NAT scenarios.
The public IP I got isn't in that range.
-
In April 2012, IANA allocated the block 100.64.0.0/10 (100.64.0.0 to 100.127.255.255, netmask 255.192.0.0) for use in carrier-grade NAT scenarios.
The public IP I got isn't in that range.
And also not a RFC 1918?
So check if the packets even arrive on your WAN. You can use Diagnostic > Packet Capture to investigate.
Do you have any other inbound connections?
-
@viragomann said in Cannot access Netgate 6100 over the WAN IP via my usual management NAT rule:
RFC 1918
Nope. It's 188.x.x.x/29
-
Okay, I got it!
So my simplified rule was too complex!
The source has to be any port from the trusted IP list to HTTPS port on the destination wan IP!
-
@morgenstern said in Cannot access Netgate 6100 over the WAN IP via my usual management NAT rule:
any
Ah yes the source port is normally random. Easy to read over in a screenshot.
