Dual Wan, Portforward not working on OPT-Wan



  • Hi I still have problems to get Dual Wan and Portforwarding on the Opt-Wan working.
    normal Wan- PPPoe
    Wan2 - Static IP behind a bridge-Modem
    Wan3 - Ip by DHCP
    First I did all the "Advanced Outbound Nats for the Connections" without having the Modem on Wan connected. See the Pictures for the information of outbound nat. Then I created the Portforwards from the Opt-Wan interfaces to the Clients. I rebooted to be sure and everything worked fine

    Now I connect the DSL Modem and try to establisch the normal Wan connection.
    1. I can go out via normal WAN only if the Connection is brougt up at boot time
    2. with the PPOE Connection the Portforwards from the OPT-Wans are not Workind anymore. It is very strange becaue you can see at the attached logged file the packets pass the Firewall but you cant establisch the RDP connection.
    3. Portforwards from WAN work without any Problem.

    I am running Rc3, which was installed from scratch. No additionals Services as TrafficShaper, Dyndyns or VPN is running.

    Does someone have a idea?
    Regards
    ![outbound Kopie.jpg](/public/imported_attachments/1/outbound Kopie.jpg)
    ![outbound Kopie.jpg_thumb](/public/imported_attachments/1/outbound Kopie.jpg_thumb)
    ![log Kopie.jpg](/public/imported_attachments/1/log Kopie.jpg)
    ![log Kopie.jpg_thumb](/public/imported_attachments/1/log Kopie.jpg_thumb)
    ![outbound Kopie.jpg_thumb](/public/imported_attachments/1/outbound Kopie.jpg_thumb)
    ![log Kopie.jpg_thumb](/public/imported_attachments/1/log Kopie.jpg_thumb)



  • Show us the portforward at optwan and the firewallrule for that portforward please.



  • Okay here is the Porftforward and correspondig firewall rule. The firewall rule was created through the Nat-Rule, the checkbox automatically create firewallrules was ticked.








  • Does it work if you disable the advanced outbound nat? I think some of these rules might mix things up. We do enable nat automatically if an interface has a gateway.



  • Yes I had it working wothout "Advanced Outbound Nat". The reason why I enabled this was that I wanted to put a Counter Strike Source Server on the Internet that needs this "Static Port Feauture". The weird things is that when the PPPOE device at WAN could not make an Internet connection, the Portforwards are working on the Opt-Wans.
    Do you have any suggestions ?



  • I think only one mapping can use a static sourceport at the same interface for the same port. You tried to assign several times the same sourceport at the same interface for traffic from different subnets. If the the pppoe WAN is down it bypasses one of these settings (the first match) and goes down to the OPTWAN static port rule which then works. I guess something like that is going on.



  • Ok, I will trie to delete the "static mappings" the next time when I am in front of the router and post the results here.



  • Hmmzz i got the same problems…
    I installed PFsense again (clean install)
    And only made 1 rule (RDP)
    First i tryed it on WAN 1 this works
    Then i tested on WAN 2 (OPT) and it doesn't work and i programmed the rules same.

    I hope they will find a solution for this problem.



  • Upgrade to 1.0-RELEASE we fixed a condition where firewallrules were not applied before rebooting in certain circumstances.



  • @hoba:

    Upgrade to 1.0-RELEASE we fixed a condition where firewallrules were not applied before rebooting in certain circumstances.

    I did that… But without any positive results...



  • rob_v do you have a PPPOE connection on WAN?
    I will try the next days to upgrade and solve the Problem



  • I tested it with:

    WAN 1 static

    WAN 2 static

    And with :

    WAN 1 DHCP

    WAN 2 static

    Thx :)



  • I am also now on Release 1:

    • Portforwarding on Opt-Wan not working
      -deleted my static port entries but not effect

    Now backed up config XML
    -deleted all advanced outbound rules and enabled ipsec passthrough, and deleted "oubound tags" in config.xml installed again Pfsense, restored config.xml, did the normal reboot and it doesn´t even work work without having toutbound Nat enabled :-(

    Still the same, the Firewall Rule is showed as above in the firewall log page but nothing happens

    Right now I have the feeling that Dual Wan and Portforwarding is a mess or I am to stupid for this and just how it seems the latter is more likely



  • I have several locations where I'm using portforwards on multiwan setups (at WAN and OPT-WAN) without any issues. You really seem to have something wrong. I suggest starting over and not reusing the old config.



  • Hoba, do you have on any location PPPOE as a Wan Interface?



  • uhm, no. Static everywhere. Maybe that makes a difference. Can you send me /tmp/rules.debug and your config.xml to holger dot bauer at citec-ag dot de?

    Btw, how did you make PPPoE work at OPT-WAN  ???



  • Hi Hoba,
    there maybe some Kind of missunderstanding:
    Wan (the normal PFsensenstandartwan) = Pppoe
    Opt-Wan (Optional Interfaces with static ips or they get them per DHCP).

    Therefore I asked if in any of your Setups you have the normal WAN as a PPPoe Connection?



  • PPPoE at WAN shouldn't affect portforwards at OPT-WAN.



  • Shouldn´t….
    I noticed only on an old install that when I plugged the cable of from the PPPOE Connection and rebooted the Portforwards where working on Opt-Wan this is the weird thing.

    On your Opt-Wans. Do they have all Ip from an ISP ? I have on my Opt-Wan a 192.168.0.0/24 Adress because I need that a DSL Modemroute makes the PPPOE connection or is this a Problem that I am using a private Ip range on the OPT_Wan Interface?
    Regards

    I will install the next day from Scratch and make Babysteps, maybe I ca find exactly out at which Point the Problem lies.

    Should I still mail you the requested files?



  • did you uncheck this option on the opt interface ?

    Block private networks
    When set, this option blocks traffic from IP addresses that are reserved for private
    networks as per RFC 1918 (10/8, 172.16/12, 192.168/16) as well as loopback addresses
    (127/8). You should generally leave this option turned on, unless your WAN network
    lies in such a private address space, too.



  • Yes, please send me the files. Maybe something obvious pops up by viewing them.



  • Hi,

    Is it possible to make a (simple) config file what works with 2 WAN's (port forwarding RDP or HTTP or FTP)
    It doesn't matter what for IP your use in this config file.
    I want to compare this config file with my own settings maybe i missed something?

    Thank you.

    Kind regards
    Rob



  • Hi back at home,
    so jeroen234 on the Opt-Interfaces there is no Checkbox

    hoba: I disconnected the Cable from WAN rebooted and then
    the Forwards worked on OPT-WAN. The config with the normal NAT Setuo and also the Config with Advanced Outbound Nat enabled.

    rob_V could you also test you Setup if you disconnect the cable from WAN  and pos tyour results, only to verify if this could be the bug

    Cheers



  • @tec:

    Hi back at home,
    so jeroen234 on the Opt-Interfaces there is no Checkbox

    hoba: I disconnected the Cable from WAN rebooted and then
    the Forwards worked on OPT-WAN. The config with the normal NAT Setuo and also the Config with Advanced Outbound Nat enabled.

    rob_V could you also test you Setup if you disconnect the cable from WAN  and pos tyour results, only to verify if this could be the bug

    Cheers

    I tryed that without any positive result..
    After this experiment i switched the networkcards to another pci slot.
    But pfsense can't handle this action :P (get everytime watch dog failures).
    So i have to install pfsense again….  I think i gonna buy a hardware router RV042 from linksys i'm tyred about pfsense soz..
    It looks good and i think it will works fine but on my system....

    Thanks, maybe i will use pfsense when i'm in a good mood..

    Or.... Sombody gots a configfile what works with 2 wans and 2x RDP connection from wan to lan and opt to lan?
    That's the only thing wat i want to try..



  • i have similiar problem.
    i have
    WAN (STATIC)
    LAN (STATIC)
    OPT1 (STATIC)
    OPT2 (STATIC)
    WAN2 (STATIC)

    everything is working through WAN but i can not even ping default gateway or any IP on WAN2 in my WAN2 network (/24). I did tcpdump on WAN2 NIC and see that packets are going in or out. But WAN2 never answers on ARP requests.

    19:40:57.062126 arp who-has ...103 tell ...96

    WAN2 status is up. I did reboot pfsense a few times but still no luck.
    Any suggestions?

    (pfsense 1.0-RELEASE)



  • Make sure your WAN2 settings are correct. Maybe there is a typo somewhere? Do you see any traffic from the pfSense at all? Maybe you need a crossovercable?



  • my connection on WAN2 is like that:

    DSL_Modem
                |
          | switch |

    WAN2|      | server with ..*.96 IP
    with …103

    i run tcpdump on 96 and 103.
    if i ping from ...96 to ...103 IP i see on both servers (96 and pfsense) arp request from
    96 "who has ....103 IP". pfsense doesn't answer.
    if i ping from ...103 to ...96 IP i see on both servers ICMP packet from 103 is going to 96.
    96 is trying aswer on and an sends ARP request "who has ....103 IP" which pfsense sees but never answers.

    wierd... may be it is happening because i did install 1.0-RC3 and upgraded to 1.0-Release...
    i'll try to do fresh install from 1.0.1-CD



  • Yes, try a fresh install please.



  • Hi Hoba,
    I send you my config Files did you find an obvious error?

    I am now on 1.0.1 and I can still confirm this strange error, that all of my forwardings on Opt-Wan are working when i plugg the cable from the Wan (Pppoe) Interface off and reboot the machine with a disconnecte WAN.

    Maybe this could Help: I tried to connect to my FTP Server trough Opt-Wan. This Setup was working when the Pppoe_Wan Interface had no connectivity because the cables was pulled. I got the following logs in my Filezilla-Server-Log:
    (000002) 11/2/2006 13:31:31 PM - (not logged in) (84.58.147.51)> Connected, sending welcome message…
    (000002) 11/2/2006 13:31:31 PM - (not logged in) (84.58.147.51)> 220-FileZilla Server version 0.9.19 beta
    (000002) 11/2/2006 13:31:31 PM - (not logged in) (84.58.147.51)> could not send reply, disconnected.

    The interesting thin is, that I don't receive the welcoming message on my client. But in my Firewall log, the incoming connection is markes a succesfully passed. To me this seems, that something in the "NAT-department" is not working how it should.



  • about my problem with second WAN.
    i did fresh install - didnt' help. So i've tried
    it as LAN NIC and ….....
    it turned out that NIC card was broken.
    i've never seen such strange problem before but
    i'm happy that everyhing is working now.



  • Hi,
    I finally had time to Change my Wan Interface from PPPOE to a static Ip with a Modem router in front of it. After the change I rebooted. An now Portforwards are working with Advanced Outbound NAT on the OPT-WAN Interfaces and Policy Based routing.
    From my point of view there seems something not real working if you use PPPOE on the WAN interface, maybe the developers could take a look into it.
    Regards


Locked