Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    unable to get firewall to route traffic

    Scheduled Pinned Locked Moved NAT
    52 Posts 5 Posters 4.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Z
      zari90
      last edited by

      I've setup Firewall Rules and NAT but the traffic doesn't seem to route correctly when outside the network, internally I can resolve the dns but not outside the network when I run cmd and do an nslookup its pointing the the correct WAN but not able to get out, added an entry into cloudflare dns and when doing nslookup its pointing to cloudflare but still getting a 522 error
      Platform: Netgate 2100

      johnpozJ 1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator @zari90
        last edited by

        @zari90 this is really out of the box work - you don't have to configure any firewall rules or nat.. The default is auto nat your lan side networks to your wan IP. and the lan would have an any rule out of the box.

        Your going to need to give some more details of your setup to figure out what is going on.

        Does pfsense show an active wan connection? Your pfsense wan is not the same as your lan network is it? ie is pfsense behind another nat router?

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        Z 1 Reply Last reply Reply Quote 0
        • Z
          zari90
          last edited by

          I'm using this guide but there seem to be a lot that isn't explained so trying to understand what goes where etc https://docs.kois.cc/networking/pfsense/firewall/port-forward/ but below is what I'm getting if I do a nslookup from outside the network I can see the wan IP just doesn't resolve

          1 Reply Last reply Reply Quote 0
          • Z
            zari90 @johnpoz
            last edited by

            @johnpoz cmd.PNG

            Z 1 Reply Last reply Reply Quote 0
            • Z
              zari90 @zari90
              last edited by

              port forward.PNG rules.PNG

              johnpozJ 1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator @zari90
                last edited by

                @zari90 so your trying to get a port forward to work? Or your trying to setup a reverse proxy? When you say error 522?

                You trying to setup some sort of tunnel with cloudflare?

                Not sure what your trying to show with your nslookups - for starters, who is 192.168.98.72 - if that is dns running on pfsense, it should be able to resolve its own name.. If its some other nameserver - it should resolve its own name. That it doesn't shows something wrong with it.

                nslookup
                Server:  sg4860.home.arpa
                Address:  192.168.9.253
                

                not sure what interfaces your showing me for those rules.. And your port forwards - if you can redirect dot, your client your using for dot is not sane - because your not handing him a cert for where he is doing the dot query, and if can not validate your the dot server that I want to talk to - throws major portion of point of dot and doh, validating who your asking for dns.

                And those ports 31400 and 31401 - when would destination ever bee your lan subnets hitting your wan?? And if they were why would you forward them to pfsense lan interface???

                Not sure what rules those last ones are on - but none of them make much sense..

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                Z 2 Replies Last reply Reply Quote 0
                • Z
                  zari90 @johnpoz
                  last edited by

                  @johnpoz
                  Okay so I'll explain my setup i have truenas that has containers nginx being one handling ssl which works fine locally, then next part is i added rules to allow traffic to pass through the firewall to reach the containers from outside the network, the problem is as in cmd the 192 ip showing unknown being I'm hotspotting my phone and connecting the laptop to test connection I'm able to see the wan ip when doing an nslookup from outside the network it's just not going to the site not sure what I really need to do to fix it but I'm stuck any help is appreciated

                  Bob.DigB 1 Reply Last reply Reply Quote 0
                  • Z
                    zari90 @johnpoz
                    last edited by

                    @johnpoz
                    I tried to use cloudflare like I did with my dlink router previously thought it might be that but doesn't seem to be it, it's definitely a setting on the router side not sure if that makes any sense

                    1 Reply Last reply Reply Quote 0
                    • Bob.DigB
                      Bob.Dig LAYER 8 @zari90
                      last edited by

                      @zari90 said in unable to get firewall to route traffic:

                      any help is appreciated

                      Your last screenshot screams "I don't know how to create rules on pfSense". So it doesn't make sense to tackle any advanced topics at this stage. Make a network diagram of your entire network and don't hide private IPs and descriptions.

                      Z 1 Reply Last reply Reply Quote 0
                      • Z
                        zari90 @Bob.Dig
                        last edited by

                        @Bob-Dig 70da9e86-9081-4dd6-9125-8e61027a081f-image.png
                        don't know much about pfSense correct what I know is dangerous and really need help hoping this diagram helps, the nodes are ports that I need open to pass network traffic through to the pi application sitting on windows 10 which is port 31400, 31401 etc, watched a lot of youtube but everything I watch doesn't really help

                        GertjanG 1 Reply Last reply Reply Quote 0
                        • GertjanG
                          Gertjan @zari90
                          last edited by Gertjan

                          @zari90

                          Applying the "Keep It Simple" rules :

                          This :
                          7a7282d1-c52c-4df4-be98-3c04ae3d7156-image.png

                          can be replaced by a straight cable.

                          This :

                          d0cfaa6f-eec1-4a67-be99-756abe99ab78-image.png

                          your TrueNAS is a 4 port switch also ?

                          Here :

                          395d426b-9e77-47e1-ab97-ef1e8b674cf7-image.png

                          A windows PC with dual NIC ?

                          No "help me" PM's please. Use the forum, the community will thank you.
                          Edit : and where are the logs ??

                          Z 1 Reply Last reply Reply Quote 1
                          • Z
                            zari90 @Gertjan
                            last edited by

                            @Gertjan no its dual nic server and the pi-nodes are single nic just trying to get the 2 applications to point to the external wan IP in the simplest way possible

                            GertjanG 1 Reply Last reply Reply Quote 0
                            • GertjanG
                              Gertjan @zari90
                              last edited by

                              @zari90 said in unable to get firewall to route traffic:

                              get the 2 applications to point to the external wan IP in the simplest way possible

                              Applications on devices on the LAN that need to use the WAN IP ? => ??? Why ?

                              @zari90 said in unable to get firewall to route traffic:

                              no its dual nic server a

                              Who is a dual NIC ? The NAS ? Is it routing then ? or are the two NICs of the NAS set up so both behave like a switch ? Strange ...

                              No "help me" PM's please. Use the forum, the community will thank you.
                              Edit : and where are the logs ??

                              Z 1 Reply Last reply Reply Quote 0
                              • Z
                                zari90 @Gertjan
                                last edited by

                                @Gertjan so i'm trying to point jellyfin to the wan so that I can access it externally the NAS server has dual nic's not the windows 10 machines. so when I visit jellyfin.example.com it redirects to the server where the docker container resides, the windows 10 machines I'm just trying to do port forward with ports 31400, 31401

                                Bob.DigB GertjanG 2 Replies Last reply Reply Quote 0
                                • Bob.DigB
                                  Bob.Dig LAYER 8 @zari90
                                  last edited by Bob.Dig

                                  @zari90 Your network diagram isn't that good. Anyways, you have only one LAN on pfSense? And please remove all of the NAT rules (port forwards) other than the first two.
                                  Show them again and NAT Outbound.

                                  Z 1 Reply Last reply Reply Quote 0
                                  • Z
                                    zari90 @Bob.Dig
                                    last edited by

                                    @Bob-Dig
                                    Apologies for the poor diagram I have one LAN currently yes 5b815cc7-0fb2-4ed9-9f2a-34e41245325a-image.png a066c720-f550-497f-8661-4fb7f5031f81-image.png

                                    Bob.DigB 1 Reply Last reply Reply Quote 1
                                    • GertjanG
                                      Gertjan @zari90
                                      last edited by Gertjan

                                      @zari90 said in unable to get firewall to route traffic:

                                      so i'm trying to point jellyfin to the wan

                                      Ah, ok, yeah, get it, but that's pretty broken behavior.
                                      WAN refection is .... burk.
                                      It's like calling your own phone number and wondering why the guy doesn't asnwer ... something like that.

                                      The clean and better way to do things :
                                      Use the LAN IP.
                                      You want to use host names ? That's ok.

                                      Go here and note down the domain name - or ask the admin :

                                      26a504cd-8ee0-4ad3-89e3-4e76f00eae72-image.png

                                      With this knowledge, create a host override here :

                                      d2055b77-3499-4852-bf19-cfc60a9d27cb-image.png

                                      and from now on you can use

                                      a_yellifin.your-pfsense-domain-name.tld
                                      

                                      from everywhere on your local networks instead of the IPv4.

                                      edit :
                                      and oh sh#t again :
                                      This :

                                      18650bda-5a32-4a10-b271-ed4486a35226-image.png

                                      means you Laptop (no network given !) is not on the LAN ? Another pfSense LAN ?

                                      No "help me" PM's please. Use the forum, the community will thank you.
                                      Edit : and where are the logs ??

                                      Z 1 Reply Last reply Reply Quote 0
                                      • Bob.DigB
                                        Bob.Dig LAYER 8 @zari90
                                        last edited by

                                        @zari90 Good. You can't redirect DNS over TLS (DoT) so this can be removed too.

                                        You haven't showed your LAN rules right? It is probably a mess too. Reset the LAN rules to the two default allow any rules. And then we go step by step, you start with an easy task you decide and we will guide you. ;)

                                        Z 2 Replies Last reply Reply Quote 0
                                        • Z
                                          zari90 @Gertjan
                                          last edited by

                                          @Gertjan
                                          pfsense already in dns resolver as well as the other IPs it works internally just not externally, so its like someone call example.com but getting voicemail. the laptop is on dhcp on the same network dc01688f-1757-4169-b8ad-3b261960246e-image.png

                                          1 Reply Last reply Reply Quote 0
                                          • Z
                                            zari90 @Bob.Dig
                                            last edited by

                                            @Bob-Dig
                                            This is the current LAN rules
                                            9dd75e3d-0445-4daf-8961-80bf47688ed3-image.png

                                            Bob.DigB 1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.