Problem forwarding ports to internal IPs
-
Hi! I'm unable to forward any port to my internal IP.
This is my configuration:INTERNET
PFSense
Tp-Link Router
LAN connected to tp-linkPFSense have:
WAN IP: 23.238.x.x (ISP IP)
LAN: 10.0.0.1TP-Link have:
IP: 10.0.0.245
Gateway: 10.0.0.1 (PFsense)
LAN and Wi-Fi ip range: 192.168.1.xNow i need to forward ports 46662-46672 to 192.168.1.103:
and i made this NAT rules:
Then i log the traffic:
And then i test port forward. This is PFSense firewall log (rule allowed):
But post forward test fail ("FALLITO" mean fail):
I also tested for other ports like 8080 but nothing to do…
What can i do?EDIT = You should also know that i'm unable to ping any 192.168.1.x IPs from my pfsense shell.
But i can ping 10.0.0.1 (pfsense LAN address) from any 192.168.1.x computers -
Your NAT rules are wrong.
Your destination is the pfSense itself and as WAN you have any.The destination should be the server you want the services on 443 and 22.
As external address you should have your WAN-address.
Or are these two rules intended to allow access to the pfSense?
In this case: delete the rules alltogether. You dont need them. The GUI and SSH can be accessed on the WAN IP directly.
You just need appropriate rules on the WAN-interface.Your third rule should have as ext: the WAN-interface and not any.
How is your TP-Link configured?
Is it doing NAT? Is it a bridge? A normal router?
Did you configure a static route on the pfSense pointing to the IP of the TP-Link for the subnet behind it?PS: Your title is very missleading.
pfSense does forwards perfectly. You most probably have a missconfiguration.
Or your setup is completly wrong and cannot work in the first place. -
Your NAT rules are wrong.
Your destination is the pfSense itself and as WAN you have any.The destination should be the server you want the services on 443 and 22.
As external address you should have your WAN-address.
Or are these two rules intended to allow access to the pfSense?
In this case: delete the rules alltogether. You dont need them. The GUI and SSH can be accessed on the WAN IP directly.
You just need appropriate rules on the WAN-interface.Yep, the first 2 rules (for 443 and 22) was made to access on pfsense directly. If i dont need it i will remove.
However you should know that my isp is Fastweb, it work a little different from others isp.Your third rule should have as ext: the WAN-interface and not any.
Ok, i made what you mean:
But port test continue to failHow is your TP-Link configured?
Is it doing NAT? Is it a bridge? A normal router?Tp-Link is default configured, no NAT no Bridge.
Did you configure a static route on the pfSense pointing to the IP of the TP-Link for the subnet behind it?
Nop
PS: Your title is very missleading.
pfSense does forwards perfectly. You most probably have a missconfiguration.
Or your setup is completly wrong and cannot work in the first place.Ok, title changed, sorry.
-
Ok in this case it's just a standard router.
For the pfSense to know where to send the traffic to, you need to create a static route for 192.168.1.0/24 pointing to 10.0.0.245.
Try first to test if you can ping from the pfSense itself to the server you want to forward ports to.What exactly do you mean, that your ISP is a little different?
-
Ok, i have made the static route:
Now:
ping 10.0.0.245 –-> OK
ping 192.168.1.1 ---> OK
ping 192.168.1.103 ---> KO[root@firewall.r00tati]/root(20): ping -c 2 192.168.1.103 PING 192.168.1.103 (192.168.1.103): 56 data bytes --- 192.168.1.103 ping statistics --- 2 packets transmitted, 0 packets received, 100.0% packet lossWhat exactly do you mean, that your ISP is a little different?
Fastweb is not PPP, it use NAT system for theire users. It assign us internal IP (in my case 23.238.x.x) and we do not have a public IP.
This is a simple explanation of fastweb NetworkThis is the result of netstat -rn
[root@firewall.r00tati]/root(21): netstat -rn Routing tables Internet: Destination Gateway Flags Refs Use Netif Expire default 23.238.136.1 UGS 0 409846 vr1 10.0.0.0/24 link#1 UC 0 0 vr0 10.0.0.245 00:19:e0:f9:0e:2f UHLW 2 604988 vr0 1077 10.0.8.2 10.0.8.1 UH 0 0 tun0 23.238.136.0/21 link#2 UC 0 0 vr1 23.238.136.1 00:90:1a:X UHLW 2 480 vr1 638 23.238.141.X 00:13:c8:X UHLW 1 4 vr1 1126 23.238.141.X 127.0.0.1 UGHS 0 0 lo0 127.0.0.1 127.0.0.1 UH 1 0 lo0 192.168.1.0/24 10.0.0.245 UGS 0 18 vr0 Internet6: Destination Gateway Flags Netif Expire ::1 ::1 UHL lo0 fe80::%vr0/64 link#1 UC vr0 fe80::20d:b9ff:fe1a:2718%vr0 00:0d:b9:X UHL lo0 fe80::%vr1/64 link#2 UC vr1 fe80::20d:b9ff:fe1a:2719%vr1 00:0d:b9:X UHL lo0 fe80::%lo0/64 fe80::1%lo0 U lo0 fe80::1%lo0 link#4 UHL lo0 fe80::20d:b9ff:fe1a:2718%tun0 link#8 UHL lo0 ff01:1::/32 link#1 UC vr0 ff01:2::/32 link#2 UC vr1 ff01:4::/32 ::1 UC lo0 ff01:8::/32 link#8 UC tun0 ff02::%vr0/32 link#1 UC vr0 ff02::%vr1/32 link#2 UC vr1 ff02::%lo0/32 ::1 UC lo0 ff02::%tun0/32 link#8 UC tun0And this is the configuration of my router:
-
Well 23.238.x.x is a public IP ;)
Private IPs are
10/8
172,16/12
192.168/16
(and to some extent 169.254/16)Since you can ping now the private IP of your second router we can be sure that the pfSense knows how to reach it.
Are you sure that you dont have a firewall on the client?What i dont understand right now is, that your accesspoint has the same IP on the WLAN and the LAN.
If it's a normal router this should confuse it and mess up it's routing table.
Can you ping 192.168.1.103 from your second router? -
Since you can ping now the private IP of your second router we can be sure that the pfSense knows how to reach it.
Yep, it's a good point!
Are you sure that you dont have a firewall on the client?
Yes, i use linux and there are no iptables rules
What i dont understand right now is, that your accesspoint has the same IP on the WLAN and the LAN.
If it's a normal router this should confuse it and mess up it's routing table.
Can you ping 192.168.1.103 from your second router?Yes i'm able to ping 192.168.1.103 for another 192.168.1.x
-
What i do is:
-
Add static routing (System–>Static routing) like this:
-
Add new NAT rules like this:
Where 10.0.0.245 is your Router IP Address -
Go in your router configuration and add a new port forwarding like this:
Forward the same port to the correct IP (in my case 192.168.1.103)
-
-
Don't set the external address in the portforward to any.
Set it to the external address. -
Don't set the external address in the portforward to any.
Set it to the external address.Oops, right! Edited
It doesnt work at all :S
-
Solved disabling " Block private networks" and " Block bogon networks"
