Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Cannot access Netgate 6100 over the WAN IP via my usual management NAT rule

    Scheduled Pinned Locked Moved Firewalling
    19 Posts 3 Posters 1.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • morgensternM
      morgenstern
      last edited by morgenstern

      I have several 3100s running around the UK and normally access them using site 2 site VPN link. I do have a backup option though for accessing them in case the VPN tunnel was down. This is done via the NAT and associated WAN rules, where any TCP traffic coming from a list of trusted public IPs, hitting the destination firewall WAN address over HTTPS gets redirected to the host LAN address, again over HTTPS.

      The above has worked a treat for years but now I am in a process of setting up a shiny new 6100 with pfsense+ 23.01 and for some reason I cannot do this.

      fb4b8ef7-402c-48a0-b267-dead7e95bf2a-image.png

      9180bf5c-0674-4adf-b6da-95baff9ff1f8-image.png

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @morgenstern
        last edited by

        @morgenstern
        I'm wondering what you're trying to forward here. VNC, RDP, Webservice?

        morgensternM 1 Reply Last reply Reply Quote 0
        • morgensternM
          morgenstern @viragomann
          last edited by morgenstern

          @viragomann Just trying to access the webgui of my 6100 over the WAN interface.

          It works on my other firewalls. Accessing them via their public IP. Just not this one.

          V S 2 Replies Last reply Reply Quote 0
          • V
            viragomann @morgenstern
            last edited by

            @morgenstern
            You wrote above, you redirect it from WAN to the host LAN address. So I'm wondering what the redirect target address is. Another WAN IP?

            morgensternM 1 Reply Last reply Reply Quote 0
            • S
              SteveITS Galactic Empire @morgenstern
              last edited by

              @morgenstern If the client is not running a web server you can just allow port 443 to WAN Address from your management IP directly and not use NAT. For clients who do/did have a web/Exchange server we do use NAT but then use a different port like 50443 redirecting to the LAN IP:443.

              Is there any chance the ISP is blocking port 443? Or maybe, is the WAN IP behind the ISP router's NAT (set it as the ISP router DMZ) or CGNAT where the request isn't being passed in?

              Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
              When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
              Upvote ๐Ÿ‘ helpful posts!

              morgensternM 1 Reply Last reply Reply Quote 0
              • morgensternM
                morgenstern @viragomann
                last edited by

                @viragomann It's the LAN address of the same unit

                V 1 Reply Last reply Reply Quote 0
                • morgensternM
                  morgenstern @SteveITS
                  last edited by

                  @steveits There won't be any other services running from behind that unit for a while. The reson I wanted to set it up this way was that I wanted to access it remotely rather than having to be plugged directly into it.

                  It's connected to a brand new business leased line from an ISP I have not used before. A UK company operating on the OpenReach network. Do you reckon they may actually be doing some firewalling on their end?

                  S 1 Reply Last reply Reply Quote 0
                  • V
                    viragomann @morgenstern
                    last edited by

                    @morgenstern
                    So what is the sense of forwarding it? That doesn't it even more secure.
                    Simply allow access to the WAN from the certain source IPs.

                    morgensternM 1 Reply Last reply Reply Quote 0
                    • morgensternM
                      morgenstern @viragomann
                      last edited by

                      @viragomann I originally copied that approach from a contractor that had set it up that way for us a few years back. I never thought to try and simplify it when it worked... :)

                      1 Reply Last reply Reply Quote 0
                      • S
                        SteveITS Galactic Empire @morgenstern
                        last edited by

                        @morgenstern If it's a consumer grade account I could definitely see them blocking server connections. If it's CGNAT (100.64.0.0/10 subnet) like Starlink uses for IPv4 then it isn't going to work for any inbound connection...try IPv6 if they provide that.

                        Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                        When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                        Upvote ๐Ÿ‘ helpful posts!

                        morgensternM 1 Reply Last reply Reply Quote 0
                        • morgensternM
                          morgenstern
                          last edited by

                          87305fb8-ab5a-458b-b27d-f88ea3d7b449-image.png

                          Deleted the NAT rule and just added this WAN rule instead but no joy

                          1 Reply Last reply Reply Quote 0
                          • morgensternM
                            morgenstern @SteveITS
                            last edited by

                            @steveits said in Cannot access Netgate 6100 over the WAN IP via my usual management NAT rule:

                            @morgenstern If it's a consumer grade account I could definitely see them blocking server connections. If it's CGNAT (100.64.0.0/10 subnet) like Starlink uses for IPv4 then it isn't going to work for any inbound connection...try IPv6 if they provide that.

                            I guess I may have to speak to them. How would I establish whether it's this CGNAT? Is it a common thing nowadays?

                            V 1 Reply Last reply Reply Quote 0
                            • morgensternM
                              morgenstern
                              last edited by

                              It's a /29 network by the way

                              1 Reply Last reply Reply Quote 0
                              • V
                                viragomann @morgenstern
                                last edited by

                                @morgenstern
                                https://en.wikipedia.org/wiki/Carrier-grade_NAT

                                https://en.wikipedia.org/wiki/Private_network#Private_IPv4_addresses

                                morgensternM 1 Reply Last reply Reply Quote 0
                                • morgensternM
                                  morgenstern @viragomann
                                  last edited by

                                  @viragomann said in Cannot access Netgate 6100 over the WAN IP via my usual management NAT rule:

                                  @morgenstern
                                  https://en.wikipedia.org/wiki/Carrier-grade_NAT

                                  https://en.wikipedia.org/wiki/Private_network#Private_IPv4_addresses

                                  Ah yeah, I see what you mean:

                                  In April 2012, IANA allocated the block 100.64.0.0/10 (100.64.0.0 to 100.127.255.255, netmask 255.192.0.0) for use in carrier-grade NAT scenarios.

                                  The public IP I got isn't in that range.

                                  V 1 Reply Last reply Reply Quote 0
                                  • V
                                    viragomann @morgenstern
                                    last edited by viragomann

                                    @morgenstern

                                    In April 2012, IANA allocated the block 100.64.0.0/10 (100.64.0.0 to 100.127.255.255, netmask 255.192.0.0) for use in carrier-grade NAT scenarios.

                                    The public IP I got isn't in that range.

                                    And also not a RFC 1918?

                                    So check if the packets even arrive on your WAN. You can use Diagnostic > Packet Capture to investigate.

                                    Do you have any other inbound connections?

                                    morgensternM 1 Reply Last reply Reply Quote 0
                                    • morgensternM
                                      morgenstern @viragomann
                                      last edited by

                                      @viragomann said in Cannot access Netgate 6100 over the WAN IP via my usual management NAT rule:

                                      RFC 1918

                                      Nope. It's 188.x.x.x/29

                                      1 Reply Last reply Reply Quote 0
                                      • morgensternM
                                        morgenstern
                                        last edited by

                                        Okay, I got it!

                                        So my simplified rule was too complex! ๐Ÿ™„

                                        The source has to be any port from the trusted IP list to HTTPS port on the destination wan IP!

                                        S 1 Reply Last reply Reply Quote 0
                                        • S
                                          SteveITS Galactic Empire @morgenstern
                                          last edited by

                                          @morgenstern said in Cannot access Netgate 6100 over the WAN IP via my usual management NAT rule:

                                          any

                                          Ah yes the source port is normally random. Easy to read over in a screenshot.

                                          Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                                          When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                                          Upvote ๐Ÿ‘ helpful posts!

                                          1 Reply Last reply Reply Quote 0
                                          • First post
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.