Problem forwarding ports to internal IPs



  • Hi! I'm unable to forward any port to my internal IP.
    This is my configuration:

    INTERNET
    PFSense
    Tp-Link Router
    LAN connected to tp-link

    PFSense have:
    WAN IP: 23.238.x.x (ISP IP)
    LAN: 10.0.0.1

    TP-Link have:
    IP: 10.0.0.245
    Gateway: 10.0.0.1 (PFsense)
    LAN and Wi-Fi ip range: 192.168.1.x

    Now i need to forward ports 46662-46672 to 192.168.1.103:
    and i made this NAT rules:

    Then i log the traffic:

    And then i test port forward. This is PFSense firewall log (rule allowed):

    But post forward test fail ("FALLITO" mean fail):

    I also tested for other ports like 8080 but nothing to do…
    What can i do?

    EDIT = You should also know that i'm unable to ping any 192.168.1.x IPs from my pfsense shell.
    But i can ping 10.0.0.1 (pfsense LAN address) from any 192.168.1.x computers



  • Your NAT rules are wrong.
    Your destination is the pfSense itself and as WAN you have any.

    The destination should be the server you want the services on 443 and 22.
    As external address you should have your WAN-address.
    Or are these two rules intended to allow access to the pfSense?
    In this case: delete the rules alltogether. You dont need them. The GUI and SSH can be accessed on the WAN IP directly.
    You just need appropriate rules on the WAN-interface.

    Your third rule should have as ext: the WAN-interface and not any.

    How is your TP-Link configured?
    Is it doing NAT? Is it a bridge? A normal router?
    Did you configure a static route on the pfSense pointing to the IP of the TP-Link for the subnet behind it?

    PS: Your title is very missleading.
    pfSense does forwards perfectly. You most probably have a missconfiguration.
    Or your setup is completly wrong and cannot work in the first place.



  • Your NAT rules are wrong.
    Your destination is the pfSense itself and as WAN you have any.

    The destination should be the server you want the services on 443 and 22.
    As external address you should have your WAN-address.
    Or are these two rules intended to allow access to the pfSense?
    In this case: delete the rules alltogether. You dont need them. The GUI and SSH can be accessed on the WAN IP directly.
    You just need appropriate rules on the WAN-interface.

    Yep, the first 2 rules (for 443 and 22) was made to access on pfsense directly. If i dont need it i will remove.
    However you should know that my isp is Fastweb, it work a little different from others isp.

    Your third rule should have as ext: the WAN-interface and not any.

    Ok, i made what you mean:

    But port test continue to fail

    How is your TP-Link configured?
    Is it doing NAT? Is it a bridge? A normal router?

    Tp-Link is default configured, no NAT no Bridge.

    Did you configure a static route on the pfSense pointing to the IP of the TP-Link for the subnet behind it?

    Nop

    PS: Your title is very missleading.
    pfSense does forwards perfectly. You most probably have a missconfiguration.
    Or your setup is completly wrong and cannot work in the first place.

    Ok, title changed, sorry.



  • Ok in this case it's just a standard router.
    For the pfSense to know where to send the traffic to, you need to create a static route for 192.168.1.0/24 pointing to 10.0.0.245.
    Try first to test if you can ping from the pfSense itself to the server you want to forward ports to.

    What exactly do you mean, that your ISP is a little different?



  • Ok, i have made the static route:

    Now:
    ping 10.0.0.245        –-> OK
    ping 192.168.1.1      ---> OK
    ping 192.168.1.103  ---> KO

    [root@firewall.r00tati]/root(20): ping -c 2 192.168.1.103                                                                                                
    PING 192.168.1.103 (192.168.1.103): 56 data bytes                                                                                                            
    
    --- 192.168.1.103 ping statistics ---                                                                                                                        
    2 packets transmitted, 0 packets received, 100.0% packet loss
    

    What exactly do you mean, that your ISP is a little different?

    Fastweb is not PPP, it use NAT system for theire users. It assign us internal IP (in my case 23.238.x.x) and we do not have a public IP.
    This is a simple explanation of fastweb Network

    This is the result of netstat -rn

    [root@firewall.r00tati]/root(21): netstat -rn                                                                                                                
    Routing tables                                                                                                                                               
    
    Internet:                                                                                                                                                    
    Destination        Gateway            Flags    Refs      Use  Netif Expire                                                                                   
    default            23.238.136.1       UGS         0   409846    vr1                                                                                          
    10.0.0.0/24        link#1             UC          0        0    vr0                                                                                          
    10.0.0.245         00:19:e0:f9:0e:2f  UHLW        2   604988    vr0   1077                                                                                   
    10.0.8.2           10.0.8.1           UH          0        0   tun0                                                                                          
    23.238.136.0/21    link#2             UC          0        0    vr1                                                                                          
    23.238.136.1       00:90:1a:X  UHLW        2      480    vr1    638                                                                                   
    23.238.141.X     00:13:c8:X UHLW        1        4    vr1   1126                                                                                   
    23.238.141.X     127.0.0.1          UGHS        0        0    lo0                                                                                          
    127.0.0.1          127.0.0.1          UH          1        0    lo0                                                                                          
    192.168.1.0/24     10.0.0.245         UGS         0       18    vr0                                                                                          
    
    Internet6:                                                                                                                                                   
    Destination                       Gateway                       Flags      Netif Expire                                                                      
    ::1                               ::1                           UHL         lo0                                                                              
    fe80::%vr0/64                     link#1                        UC          vr0                                                                              
    fe80::20d:b9ff:fe1a:2718%vr0      00:0d:b9:X             UHL         lo0                                                                              
    fe80::%vr1/64                     link#2                        UC          vr1                                                                              
    fe80::20d:b9ff:fe1a:2719%vr1      00:0d:b9:X             UHL         lo0                                                                              
    fe80::%lo0/64                     fe80::1%lo0                   U           lo0                                                                              
    fe80::1%lo0                       link#4                        UHL         lo0                                                                              
    fe80::20d:b9ff:fe1a:2718%tun0     link#8                        UHL         lo0                                                                              
    ff01:1::/32                       link#1                        UC          vr0                                                                              
    ff01:2::/32                       link#2                        UC          vr1                                                                              
    ff01:4::/32                       ::1                           UC          lo0                                                                              
    ff01:8::/32                       link#8                        UC         tun0                                                                              
    ff02::%vr0/32                     link#1                        UC          vr0                                                                              
    ff02::%vr1/32                     link#2                        UC          vr1                                                                              
    ff02::%lo0/32                     ::1                           UC          lo0                                                                              
    ff02::%tun0/32                    link#8                        UC         tun0      
    

    And this is the configuration of my router:



  • Well 23.238.x.x is a public IP ;)
    Private IPs are
    10/8
    172,16/12
    192.168/16
    (and to some extent 169.254/16)

    Since you can ping now the private IP of your second router we can be sure that the pfSense knows how to reach it.
    Are you sure that you dont have a firewall on the client?

    What i dont understand right now is, that your accesspoint has the same IP on the WLAN and the LAN.
    If it's a normal router this should confuse it and mess up it's routing table.
    Can you ping 192.168.1.103 from your second router?



  • Since you can ping now the private IP of your second router we can be sure that the pfSense knows how to reach it.

    Yep, it's a good point!

    Are you sure that you dont have a firewall on the client?

    Yes, i use linux and there are no iptables rules

    What i dont understand right now is, that your accesspoint has the same IP on the WLAN and the LAN.
    If it's a normal router this should confuse it and mess up it's routing table.
    Can you ping 192.168.1.103 from your second router?

    Yes i'm able to ping 192.168.1.103 for another 192.168.1.x



  • What i do is:

    1. Add static routing (System–>Static routing) like this:

    2. Add new NAT rules like this:

      Where 10.0.0.245 is your Router IP Address

    3. Go in your router configuration and add a new port forwarding like this:

      Forward the same port to the correct IP (in my case 192.168.1.103)



  • Don't set the external address in the portforward to any.
    Set it to the external address.



  • Don't set the external address in the portforward to any.
    Set it to the external address.

    Oops, right! Edited

    It doesnt work at all :S



  • Solved disabling "  Block private networks" and " Block bogon networks"


Log in to reply