Port forwarding on Multi WAN
-
Hello everyone! Newbie here.
I'm using the most recent version of pfSense Community and I have 2 WAN interfaces working together as a Gateway group, be it failover or load balancing. I'm trying to test port forwarding and even a more simple thing like accessing the GUI via both WAN's, but even though there is no difference between NAT and Firewall rules for each, I can't access any port forwarding or the GUI via the WAN that isn't the default one.
I am aware of the issues for not using more safe measures like VPN, but I'm still trying to understand the basics here. How can I organize NAT/Firewall stuff in non default WAN interfaces? Any help is appreciated!
Note: I can access the GUI via non default WAN if I'm connected to pfSense via LAN, but I'm trying to do it via local network, not exactly connected to the device.
-
@zer0vini So WAN2 is a local/internal network and WAN1 is a public IP? I'm wondering about the routing between where you're testing from and the WAN2 IP. Can you traceroute from your device to the WAN2 IP? (need to allow ICMP for that)
-
@SteveITS WAN 2 is an internal network derived from WAN 1's modem. So it's working like this:
Modem --------------> WAN 1 ---> pfSense ---> LAN
'---------> Router ---> WAN 2 ---------^Do I have to use 2 modems with different internet providers in order for this to work?
-
@zer0vini Specific IPs might help...but it could be an asymmetric routing issue if the response goes out the other WAN.
https://docs.netgate.com/pfsense/en/latest/troubleshooting/asymmetric-routing.htmlIn a vacuum I'd expect a port forward on either to just work, though I can't say I've actually set it up.
Are you testing from the WAN2 subnet? If not try that, if you can.
-
@zer0vini
If there is a router in front of pfSense you have to forward inbound traffic on it. -
@SteveITS I'm actually using a specific IP for WAN 2, since WAN 1 is defined as 192.168.0.X and WAN 2 as 192.168.1.X. The load balancing and failover stuff is working as intended, I just cannot state any firewall rules or NAT rules for port forwarding on WAN 2. I don't know if it's because of load balancing/failover issues, but I doubt it, since I've tested these functionalities and it seems to be working fine.
-
@viragomann said in Port forwarding on Multi WAN:
@zer0vini
If there is a router in front of pfSense you have to forward inbound traffic on it.Even though I've been using a subnet, I have to forward traffic from modem to router? How should I do this?
-
@zer0vini said in Port forwarding on Multi WAN:
WAN 2 as 192.168.1.X
Whatever is in front of WAN2 needs to forward your port from the public IP to the WAN2 IP. Do you have one or two public IPs? Hopefully two because you can't forward the same port twice.
If you connect a laptop as say 192.168.1.55 then I'd expect the pfSense port forward to work...
-
@zer0vini said in Port forwarding on Multi WAN:
Even though I've been using a subnet, I have to forward traffic from modem to router? How should I do this?
This depends on the particular router.
A router doesn't forward inbound traffic on its own. So have to enable it. it has to forward inbound traffic to the pfSense WAN2 address.
Some routers have functions called like "exposed host" or "DMZ" for this, where you can state the WAN2 IP. -
@SteveITS It seems that when I try to make this access with my computer connected to WAN 1, all services for WAN 1 works, be it GUI access or remote access, but not WAN 2. If I connect to WAN 2, all WAN 2 rules apply, but not WAN 1.
Now I have to find a way to indeed make accesses to 192.168.1.X network using 192.168.0.X. So I really should go for the inbound traffic configs just how @viragomann said, I suppose.