Nat/ Port forwarding issue



  • Hi All,

    I'm running PFSense on a PC Engines board (ALIX) with 3x NIC's

    WAN = to our dsl provider
    LAN = (DHCP 192.168.3/24) goes to a switch and roughly 16 industrial WiFi access points
    ADMIN = (static, 192.168.23.200) goes onto a corporate network (192.168.23/24) for remote administration.

    the access points on the LAN are statically assigned and can be controlled via web access on port 80.

    I would like to access the web interfaces via the ADMIN network so I can configure the access points from my office.

    Now the easiest way i've seen you can do this is by running NAT on the admin/ lan networks and some firewalls rules to punch a hole through (securely). Problem is, i've tried this and the packets never reach the destination / time out or arnt getting back out correctly, so I ask is this possible:

    (admin) 192.168.23.200:5000 ==> (lan) 192.168.3.18:80 (to an access point),

    So the firewall listens for TCP connections on port 5000 and knows to send it to the specific IP and to forward the request to port 80.

    Can this be done?

    Many thanks!



  • Is there a reason you won't just let the admin network access the access points directly?  I assume ADMIN is OPT1?  If so, it won't have any access to anywhere unless you add rules.  So, something like this:

    Firewall => NAT => Outbound:

    Enable Advanced Outbound NAT.  Add a rule that has a source subnet of the ADMIN subnet, and check the "No NAT" box.  In the rules section, add a rule applying to the ADMIN interface that only allows access to port 80 on the set of AP IP addresses (you can define those in an alias list elsewhere.)


Log in to reply