Issue to manage pfsense from internet
-
Hello,
here below my network:
The address 192.168.10.253 (WAN PFSENSE) is in DMZ
From internet when I type my https://FAI-IP:4443 no page
Still issue stupid I think ...
thanks in advance
-
@rjcab
In the WAN interface, you have to uncheck the "Block private networks and loopback addresses" and "Block bogon networks" (the 2nd one is not mandatory) -
@YannTKO many thanks
-
Before it becomes a huge issue : LAN resources using http, https and msrdp shouldn't be made accessible like that. It might work, but not for long, things will go pretty bad as soon as 'they' find you.
Consider setting up a VPN server on pfSense.
-
@Gertjan you are right. it is just temporary
But i am still facing issue when I tried to NAT to servers behind Pfsense:
here below NAT & Rules:
in the logs:
For example it passes for 192.168.1.252:8006 but when I go to the webrowser from WAN it doesn't work but works within LAN
Again maybe my stupid error ...
-
This is 'strange' :
Replace the destination "192.168.1.1" with "any" or "This firewall (self).
Normally, there can't be any traffic coming into WAN with destination IP "192.168.1.1", after all 192.168.1.1 can't be routed over the internet. So it can not origin from the Internet neither.
This isn't - shouldn't be a NAT rule neither.
Traffic that comes from the Internet (and entering the WAN) has arrived at its destination. No port or addresses translating is needed == so no NAT.Example :
Instead of hitting port 443, TCP == a web server == the pfSense default https GUI, I use this to hit port 1194, UDP, the pfSense OpenVPN server :
Your second, 'NAT pve' rule seems to work.
For your third rule you need to talk to the administrator of the 192.168.1.220.
You should know that a microsoft device that accepts RDP only accepts connection from it's own LAN, normally 192.168.1.0/24 - and no body else (Microsoft really want to the user to be save ^^).
So you have to set up the RDP access on that 192.168.1.220 device so that it accepts connections from 'everybody'.To see if it works : Packet capturing to the rescue :
and hit start.
Now, go to your neighbor, use his connection.
Or use your phone with the Wifi switched to Off !
Do not use your local network resources ( !!!!!!!!!!!! )Connect to your WAN IP :
where 1.2.3.4 is your WAN IP.
Always start the easy way : use an IP.
Later on, you can use a DDNS type host name that always points to your WAN IP.An note this some where :
Do not (try to) use your WAN IP while being connected on your your LAN.
If you are on your LAN, use 192.168.1.220 as an IP, or create a host over ride for it in the resolver like
server.hoe.arpa that point to 192.168.1.220.Rule 4 and 5 : created by 'Easyrule' ? NAT rules can't be created using Easy rule.
-
@Gertjan said in Issue to manage pfsense from internet:
Your second, 'NAT pve' rule seems to work.
thanks for your time.
If I focus on 'NAT pve', I don't know how to investigate further to identify the cause.
For the RDP issue .220 I will check further on the server itself. -
@rjcab said in Issue to manage pfsense from internet:
If I focus on 'NAT pve', I don't know how to investigate further to identify the cause.
You know where the traffic arrives : the WAN interface.
You should know what WAN IP you have : [https://www.whatismyip.com/) : click and you'll know ^^
You know what destination port is used : 8006
You know what protocol is used : TCP.Now you know enough to check if traffic arrives at the WAN gates :
Hit start, and go drink a coffee at your neighbors place. Use their Internet access again, and visit the IP you've found as you WAN IPv4.
That all there is.If the Packet Capture starts to capture packets, you know traffic comes into the WAN interface.
Traffic you've emitted ? Easy to check also as the source IPv4 should be the IP you used when you were at your neighbors place.If all this went well, you've proven a very important step : does the traffic arrive at your pfsense as it is totally a waste of time if the traffic isn't even arrive at your pfSense. This can happen if you were using an upstream ISP router : you have to NAT that router also.
Your ISP could also block incoming connection ...
Or you use some sort of CGNAtted IP (given to you by your ISP) so you can't access your pfSense whatever you try. -
Or use tailscale to access to your LAN devices (easy to setup).
-
so traffic goes to LAN Interface:
But how to see if the Ip of proxmox is reached ? (192.168.1.252) ?
-
-
@Gertjan ,
here below, more clear:
With my Lan 192.168.1.0/24 I have my proxmox server in 192.168.1.252
-
-
@Gertjan so traffic comes in:
So it seems no issue from the FW itself
When I did the same within my LAN https://192.168.1.252:8006/, it works but no packet captures from my laptop (192.168.1.220)
-
Ok, looks like the traffic reaches 192.168.1.252 port 8006.
Now, check this 192.168.1.252 port 8006 device if it accepts traffic from :
-
@Gertjan said in Issue to manage pfsense from internet:
192.168.1.252 port 8006 device if it accepts traffic from
sorry still new in pfsense but how can I check if it accepts ?
-
@rjcab said in Issue to manage pfsense from internet:
I have my proxmox server in 192.168.1.252
Proxmox is not pfSense.
Who admins this 192.168.1.252 ? Go ask why it doesn't accept traffic from
-
@Gertjan the Admin is myself :-)
It accepts when I do from LAN but no from WAN whereas traffic seems come in :-)
-
@rjcab said in Issue to manage pfsense from internet:
It accepts when I do from LAN but no from WAN whereas traffic seems come in :-)
And that's a pretty good default security setting.
But you've decided to admin this device also from 'the internet'.I'm pretty sure the device has settings, so it's time to inform the device it should also accept connection from the Internet.
Exactly like "MS RDP".
