Can't access myself from WAN, but internet works
-
Hello, we had an internet outage few days ago, and since then all my port-forwards stopped working, and I can't get WAN gui access anymore either.
I have my Netgate 1100 behind provider provided router in bridge mode with PPPoE, tried couple restarts and nothin.My NAT Portforward:
Firewall rules:
I don't know what could be wrong. My DDNS shows same ip as
curl ifconfig.me, but ddns also doesn't work anymore.
I think I used to be able to see my public address on the homepage of pfsense here under interface, but it doesn't show anymore(Hopefully I didn't make this up).
I'm on 23.09.1-RELEASE.
I enabled ping on WAN and also https for admin panel, neither works.
When I ping my public IP or try to reach the gui I get timed out.nmap <public ip>from phones data shows:Host is up (0.047s latency). not shown: 997 filtered tcp ports (no-response) PORT STATE SERVICE 25/tcp open smtp 80/tcp open http 554/tcp open rtspWhich doesn't even look like what I set up.
What could be the problem?
-
@Djkáťo There is no rule on WAN passing traffic to destination TCP 42421 10.100.110.234. (I'm assuming you don't really need TCP/UDP but only TCP.) I would just let the port forward maintain the rule for you until you know how it works. See the bottom of the port forward configuration.
See filter rule association here: https://docs.netgate.com/pfsense/en/latest/nat/port-forwards.html
-
@Djkáťo You will also need to be sure whatever is upstream of you is passing unsolicited traffic in to the pfSense WAN interface.
-
@Derelict I followed the guide you linked, I had that rule before and in the screenshot I changed the filter rule to "Pass" to see if that was the issue. I recreated it and still am fully inaccessible from the outside.
@Derelict said in Can't access myself from WAN, but internet works:
@Djkáťo You will also need to be sure whatever is upstream of you is passing unsolicited traffic in to the pfSense WAN interface.
As for this part, only thing above my pfsense router is the PPPoE bridge mode modem. I don'ŧ think it adds any traffic rules? Not sure how I could check remotely from my router, as it has it's own network/DHCP/Subnet or whaterer that would be called.
And if you meant inwards, I know my target server has those ports open. This must be a more general WAN issue tho, cause as you saw I allowed pings but they don't work. -
@Djkáťo The list of things to look at are here:
https://docs.netgate.com/pfsense/en/latest/troubleshooting/nat-port-forwards.html
The counters on that rule are 0/0. That indicates that, at the time that screen shot was taken, WAN had not received any traffic to forward. It's not going to forward traffic it never receives.
See if the upstream device has what is commonly and erroneously called a "DMZ" and have it send all unsolicited traffic at the pfSense address.
This is described here: https://docs.netgate.com/pfsense/en/latest/troubleshooting/nat-port-forwards.html#pfsense-software-is-not-the-border-edge-router
-
@Derelict As I said, my modem is in Bridge mode, which means that it should just pass all traffic to the pfsense no? Also the firewall is disabled on it, so regardless it shouldn't be doing anything to packets I think.
Also I said it worked fine a week ago, with no change to settings. But then the fire-nation attacked(internet went down)
-
@Djkáťo No. Since your WAN has an RFC1918 address, something must be doing NAT and forwarding the traffic to it.
In a real "Bridge Mode" it should be passing the public IP address to the pfSense WAN interface.
-
Compare your rules 1, 3 and 4.
In a glance, something is off - right ?Knowing that your WAN port is a non RFC1918, you could use your WAN address from anywhere on the internet to :
Rule 1) Connect to port 80 or 443 (TCP) : this traffic will enter teh WAN interface, and hit the pfSense GUI [ something you should never allow as it permits me and my unfriendly neighbor to remote admin your pfSense as soon as we figured out your password ^^]
Rule 3) Connect using port 1194, UDP, to the pfSense OpenVPN server -> Way better already !!
Rule 4) ...... logical crash here : 10.100.110.234 is RFC918 and can't be routed over the internet.
So, this IP can't be used to connect to your pfSEnse.
You should use, see rule 1 and 3, a "WAN Address"(a place holder for your actual WAN address).Btw : You still have something of standard here.
Normally, you create a NAT rule that will create also a linked WAN firewall rule.
I had to look up what this means :
You should see this :
Which means a corresponding WAN firewall rule is also created to let the intended traffic coming in.
-
Thanks for ya'lls inputs, while looking in my modem settings I changed my password to something that includes á and ť, and when I clicked save it said "Characters at [num] not allowed" and then said it saved and logged me out of the modem. No passwords work now, so I locked myself out of it...
I will have to redo that whole thing again then, so I'll see if I Can disable NAT and use proper bridge mode during the weekend.
-
@Derelict I got a new modem (TP-Link Archer VR300) cuz my old one was 24 years old, and set it up to bridge mode with quick wizard. After factory reseting my PFSense router, I set my WAN to use PPPoE, and my internet works again. But, now I again have a private address showing in my WAN IP.
Did I set up bridge incorrectly again, or could this be a provider issue somehow (We have VDSL)?
The TP link modem uses 192.168.xx schema for acessing the GUI, so I've no clue why it's showing 10.101.xx on my WAN. I'm self taught with networking, so sorry if this is a dumb question, but could the IPS have changed how they route traffic and somehow have houses be on "local network" compared to before where I had directly showing public IP on my WAN interface? Or is the different network schema somehow decided by my pfsense?
Obviously public access and port forwarding to my network still doesn't work cuz WAN is somehow a local address, and I'm not sure how to continue forward. Maybe call ISP and ask?
-
The one and only question that answers your question while answering me : do you have a working Internet connection ?
If yes, then nearly all is fine, and you can stop looking, as you've already mentioned what your current situation is : its doesn't break your internet access if your WAN IP is a RFC1918.
But you can probably forget about NATting so you can make internal (on the pfSense LANs) devices accessible from the Internet, as you have no access to the ISP equipment to do so.If your "TP-Link Archer VR300" is truly working as a modem, its just converting POTS VDL signals to "Ethernet" signals and it doesn't do routing , firewalling etc. Its not the "TP-Link Archer VR300" that has a WAN, and a DHCP server that gives you the "10.101.37.22" pfSense WAN IP : this "10.101.37.22" comes from way up, somewhere from the ISP.
Why they do so ? There is the classic $$$ rule : they have no more free routable IPs left as IPv4 free available stock has been sold out meany year ago, and what's left has a huge price tag. Its seen before ; you want a real routable IPv4 ? You $$$ or €€€.
