Cannot access Netgate 6100 over the WAN IP via my usual management NAT rule
-
@morgenstern
So what is the sense of forwarding it? That doesn't it even more secure.
Simply allow access to the WAN from the certain source IPs. -
@viragomann I originally copied that approach from a contractor that had set it up that way for us a few years back. I never thought to try and simplify it when it worked... :)
-
@morgenstern If it's a consumer grade account I could definitely see them blocking server connections. If it's CGNAT (100.64.0.0/10 subnet) like Starlink uses for IPv4 then it isn't going to work for any inbound connection...try IPv6 if they provide that.
To upgrade, select your branch in System/Update/Update Settings. When upgrading, allow 10-15 minutes to reboot, or more depending on packages, CPU, and/or disk speed.
Only install packages for your version of pfSense.
Upvote ๐ helpful posts! -
Deleted the NAT rule and just added this WAN rule instead but no joy
-
@steveits said in Cannot access Netgate 6100 over the WAN IP via my usual management NAT rule:
@morgenstern If it's a consumer grade account I could definitely see them blocking server connections. If it's CGNAT (100.64.0.0/10 subnet) like Starlink uses for IPv4 then it isn't going to work for any inbound connection...try IPv6 if they provide that.
I guess I may have to speak to them. How would I establish whether it's this CGNAT? Is it a common thing nowadays?
-
It's a /29 network by the way
-
-
@viragomann said in Cannot access Netgate 6100 over the WAN IP via my usual management NAT rule:
@morgenstern
https://en.wikipedia.org/wiki/Carrier-grade_NAThttps://en.wikipedia.org/wiki/Private_network#Private_IPv4_addresses
Ah yeah, I see what you mean:
In April 2012, IANA allocated the block 100.64.0.0/10 (100.64.0.0 to 100.127.255.255, netmask 255.192.0.0) for use in carrier-grade NAT scenarios.
The public IP I got isn't in that range.
-
In April 2012, IANA allocated the block 100.64.0.0/10 (100.64.0.0 to 100.127.255.255, netmask 255.192.0.0) for use in carrier-grade NAT scenarios.
The public IP I got isn't in that range.
And also not a RFC 1918?
So check if the packets even arrive on your WAN. You can use Diagnostic > Packet Capture to investigate.
Do you have any other inbound connections?
-
@viragomann said in Cannot access Netgate 6100 over the WAN IP via my usual management NAT rule:
RFC 1918
Nope. It's 188.x.x.x/29
-
Okay, I got it!
So my simplified rule was too complex!
The source has to be any port from the trusted IP list to HTTPS port on the destination wan IP!
-
@morgenstern said in Cannot access Netgate 6100 over the WAN IP via my usual management NAT rule:
any
Ah yes the source port is normally random. Easy to read over in a screenshot.
