unable to get firewall to route traffic
-
I've setup Firewall Rules and NAT but the traffic doesn't seem to route correctly when outside the network, internally I can resolve the dns but not outside the network when I run cmd and do an nslookup its pointing the the correct WAN but not able to get out, added an entry into cloudflare dns and when doing nslookup its pointing to cloudflare but still getting a 522 error
Platform: Netgate 2100 -
@zari90 this is really out of the box work - you don't have to configure any firewall rules or nat.. The default is auto nat your lan side networks to your wan IP. and the lan would have an any rule out of the box.
Your going to need to give some more details of your setup to figure out what is going on.
Does pfsense show an active wan connection? Your pfsense wan is not the same as your lan network is it? ie is pfsense behind another nat router?
-
I'm using this guide but there seem to be a lot that isn't explained so trying to understand what goes where etc https://docs.kois.cc/networking/pfsense/firewall/port-forward/ but below is what I'm getting if I do a nslookup from outside the network I can see the wan IP just doesn't resolve
-
-
-
@zari90 so your trying to get a port forward to work? Or your trying to setup a reverse proxy? When you say error 522?
You trying to setup some sort of tunnel with cloudflare?
Not sure what your trying to show with your nslookups - for starters, who is 192.168.98.72 - if that is dns running on pfsense, it should be able to resolve its own name.. If its some other nameserver - it should resolve its own name. That it doesn't shows something wrong with it.
nslookup Server: sg4860.home.arpa Address: 192.168.9.253not sure what interfaces your showing me for those rules.. And your port forwards - if you can redirect dot, your client your using for dot is not sane - because your not handing him a cert for where he is doing the dot query, and if can not validate your the dot server that I want to talk to - throws major portion of point of dot and doh, validating who your asking for dns.
And those ports 31400 and 31401 - when would destination ever bee your lan subnets hitting your wan?? And if they were why would you forward them to pfsense lan interface???
Not sure what rules those last ones are on - but none of them make much sense..
-
@johnpoz
Okay so I'll explain my setup i have truenas that has containers nginx being one handling ssl which works fine locally, then next part is i added rules to allow traffic to pass through the firewall to reach the containers from outside the network, the problem is as in cmd the 192 ip showing unknown being I'm hotspotting my phone and connecting the laptop to test connection I'm able to see the wan ip when doing an nslookup from outside the network it's just not going to the site not sure what I really need to do to fix it but I'm stuck any help is appreciated -
@johnpoz
I tried to use cloudflare like I did with my dlink router previously thought it might be that but doesn't seem to be it, it's definitely a setting on the router side not sure if that makes any sense -
@zari90 said in unable to get firewall to route traffic:
any help is appreciated
Your last screenshot screams "I don't know how to create rules on pfSense". So it doesn't make sense to tackle any advanced topics at this stage. Make a network diagram of your entire network and don't hide private IPs and descriptions.
-
@Bob-Dig
don't know much about pfSense correct what I know is dangerous and really need help hoping this diagram helps, the nodes are ports that I need open to pass network traffic through to the pi application sitting on windows 10 which is port 31400, 31401 etc, watched a lot of youtube but everything I watch doesn't really help -
Applying the "Keep It Simple" rules :
This :
can be replaced by a straight cable.
This :
your TrueNAS is a 4 port switch also ?
Here :
A windows PC with dual NIC ?
-
@Gertjan no its dual nic server and the pi-nodes are single nic just trying to get the 2 applications to point to the external wan IP in the simplest way possible
-
@zari90 said in unable to get firewall to route traffic:
get the 2 applications to point to the external wan IP in the simplest way possible
Applications on devices on the LAN that need to use the WAN IP ? => ??? Why ?
@zari90 said in unable to get firewall to route traffic:
no its dual nic server a
Who is a dual NIC ? The NAS ? Is it routing then ? or are the two NICs of the NAS set up so both behave like a switch ? Strange ...
-
@Gertjan so i'm trying to point jellyfin to the wan so that I can access it externally the NAS server has dual nic's not the windows 10 machines. so when I visit jellyfin.example.com it redirects to the server where the docker container resides, the windows 10 machines I'm just trying to do port forward with ports 31400, 31401
-
@zari90 Your network diagram isn't that good. Anyways, you have only one LAN on pfSense? And please remove all of the NAT rules (port forwards) other than the first two.
Show them again and NAT Outbound. -
@Bob-Dig
Apologies for the poor diagram I have one LAN currently yes
-
@zari90 said in unable to get firewall to route traffic:
so i'm trying to point jellyfin to the wan
Ah, ok, yeah, get it, but that's pretty broken behavior.
WAN refection is .... burk.
It's like calling your own phone number and wondering why the guy doesn't asnwer ... something like that.The clean and better way to do things :
Use the LAN IP.
You want to use host names ? That's ok.Go here and note down the domain name - or ask the admin :
With this knowledge, create a host override here :
and from now on you can use
a_yellifin.your-pfsense-domain-name.tldfrom everywhere on your local networks instead of the IPv4.
edit :
and oh sh#t again :
This :
means you Laptop (no network given !) is not on the LAN ? Another pfSense LAN ?
-
@zari90 Good. You can't redirect DNS over TLS (DoT) so this can be removed too.
You haven't showed your LAN rules right? It is probably a mess too. Reset the LAN rules to the two default allow any rules. And then we go step by step, you start with an easy task you decide and we will guide you. ;)
-
@Gertjan
pfsense already in dns resolver as well as the other IPs it works internally just not externally, so its like someone call example.com but getting voicemail. the laptop is on dhcp on the same network
-
@Bob-Dig
This is the current LAN rules
