Problem outside connect to pfsense



  • I have pfsense running where I could browse internet within my network. I am using pppoe.

    The problem is, I can't connect from anywhere outside of my LAN to the pfsense server. I want to ssh into this box but is unable. Ping and webGUI also doesn't work.

    I believe I will have to create rules to allow port 22 (for ssh) to come into the pfsense server but I just can't figure out whether to use "rules" or NAT. I tried doing some rules in the rules section but I am dumbfounded by the gui. I tried looking for documentation or guide but to no avail. Would appreciate anyone who can point me to the right direction.

    Thanks in advance.



  • somehow, I don't know what I did but the connection now works. SSH and webgui can connect but only problem is ping doesn't work. I can't ping the pfsense box.

    Now, I am trying to block port 22 (ssh) to go into the box and nothing works. I can just ssh into the box. I am sure I am doing something wrong here.

    
            Proto    Source   Port 	Destination  	 Port  	         Gateway  	Description
    (block) TCP  	 *  	  *  	WAN address  	 22 (SSH)  	 *  	        block ssh
    
    

    So what am i doing wrong?

    Since I am able to ssh and webgui into pfsense, I am assuming that by default all ports are allowed into pfsense?

    Possible to make all ports not allowed except established connection from within NAT and explicitly specified ports in the rules? Any reference site for examples setting?



  • Add a rule in Firewall -> Rules -> WAN and permit ICMP.



  • nnormal there are no rules on the wan interface so then all trafic to the wan that is not started from youre lan is blocked
    if you put the same rule on the wan as on the lan
    then the hole internet can come in to youre server
    you need only to open the ports that you want to show the internet
            Proto    Source  Port Destination  Port          Gateway  Description
    (pass) TCP  *    *  WAN address  22 (SSH)  *        ssh
    (pass) TCP  *    *  WAN address  80 (http)  *        http

    better is it to chance the webinterface adress to some where higher then port 20.000
    so that hackers don't find youre webinterface when they check youre pc for open comon usesed ports

    you can also setup pfsense as a vpn server
    and then make conctact from some where on the internet
    and then connect to the webinterface or ssh from the lan site of pfsense throu the vpn connection



  • @jeroen234:

    nnormal there are no rules on the wan interface so then all trafic to the wan that is not started from youre lan is blocked
    if you put the same rule on the wan as on the lan
    then the hole internet can come in to youre server
    you need only to open the ports that you want to show the internet
            Proto    Source  Port Destination  Port          Gateway  Description
    (pass) TCP  *    *  WAN address  22 (SSH)  *        ssh
    (pass) TCP  *    *  WAN address  80 (http)  *        http

    better is it to chance the webinterface adress to some where higher then port 20.000
    so that hackers don't find youre webinterface when they check youre pc for open comon usesed ports

    you can also setup pfsense as a vpn server
    and then make conctact from some where on the internet
    and then connect to the webinterface or ssh from the lan site of pfsense throu the vpn connection

    But I started out with unable to access my WAN (pfsense) from internet. Hence, I posted to ask how to allow access to pfsense from outside world. But after doing some restart and DID NOT add any rules, somehow outside world can connect to pfsense, ssh and so on except ping. No matter what I do, I just can't ping into pfsense box. I tried adding ICMP port 8 but still can't ping.

    Now, I am trying to block ssh from outside work to learn how to use the rules correctly but somehow I just can't block the ssh. I keep on able to ssh to pfsense box. I am really dumbfounded.



  • @abubin:

    But I started out with unable to access my WAN (pfsense) from internet. Hence, I posted to ask how to allow access to pfsense from outside world. But after doing some restart and DID NOT add any rules, somehow outside world can connect to pfsense, ssh and so on except ping. No matter what I do, I just can't ping into pfsense box. I tried adding ICMP port 8 but still can't ping.

    Now, I am trying to block ssh from outside work to learn how to use the rules correctly but somehow I just can't block the ssh. I keep on able to ssh to pfsense box. I am really dumbfounded.

    First, you need to make sure you are running version 1.0.1. There was a bug with the previous version where changed rules would not reload until after rebooting.

    Secondly, to access your pfsense box from the outside, you have to do two things. You have to create a NAT statement redirecting your desired traffic (ssh or web) from your external IP to the LAN IP. Next you have to create the rule to allow this traffic.
      So your NAT statement will look like this:
        IF  Ext Port Range    Internal IP            Int Port Range
    WAN    SSH or HTTP, etc  LAN Interface IP  SSH, Http, etc

    Your WAN Rule will be:
        Proto              Source      Src Port  Destination IP:    Int Port Range:
    (Pass)ICMP or TCP, Source IP    any      LAN If IP,      SSH, Http, etc,

    That should get you going.



  • @sdale:

    First, you need to make sure you are running version 1.0.1. There was a bug with the previous version where changed rules would not reload until after rebooting.

    I am using 1.0.1 developer edition.

    @sdale:

    Secondly, to access your pfsense box from the outside, you have to do two things. You have to create a NAT statement redirecting your desired traffic (ssh or web) from your external IP to the LAN IP. Next you have to create the rule to allow this traffic.
      So your NAT statement will look like this:
        IF  Ext Port Range    Internal IP            Int Port Range
    WAN    SSH or HTTP, etc  LAN Interface IP  SSH, Http, etc

    Doesn't the pfsense box (firewall) already exposed to the internet? I mean it has the pppoe (or wan) which means all traffic will go into here. I just need to "pass" the traffic and it will automatically go into pfsense, right? In another word, meaning the pfsense box by default is in DMZ? If not, what's the best way to put it into the DMZ?

    So, in shorewall firewall, I just need to specify <firewall>and the routing table would know to output the traffic to the firewall WAN ip (which is dynamic since it's pppoe). I was assuming when I choose 'WAN Address' type in the source or destination it would means the firewall/pfsense box. Or else, how do I specify the pfsense box aside from using it's internal ip address (LAN address).

    For other PCs in my network that is not exposed, then only I need to use port forwarding, right?</firewall>



  • You don't need to portforward to the lan IP pf the pfSense to access it. Just create a firewallrule on WAN for the desired protocols and ports with destination WAN IP Adress. It will substitute it with the current WAN IP. To access internal hosts you need portforwards and a firewallrule to allow the traffic. The easiest way is to let the firewallrule be autocreated when adding the portforward.



  • i think there is something wrong with the rules.

    I had a rules to allow ping into "wan address" (should means the pfsense box). But when I turn off the rules, I still can ping the box. Somehow rules doesn't get applied.

    Confirm. Must restart the server in order for the rules to be applied.

    I started out able to ping pfsense. After that, I had ping rules disabled but is still able to ping to wan address. Then I rebooted and try ping again and this time doesn't work. That means the disable ping only got applied after restarting the server. That's why I am having problems with the rules as my rules doesn't get applied after creating them. I thought I was applied rules wrongly.

    I am sure rules get applied without rebooting as there are no other users reporting this problem. Maybe I didn't install the developer version correctly. Should I run the script again??

    How else could I check to see anything went wrong? I am sure that I am running 1.0.1 because it is shown in the webconfigurator.



  • mebe the fix for the rules not reloading bug
    is not instaled on the dev version of 1.0.1



  • @jeroen234:

    mebe the fix for the rules not reloading bug
    is not instaled on the dev version of 1.0.1

    Well, how do I check that? Anyone can give a pointer or two?

    Oh yeah, could it be due to me re-compiling the kernel using pfSense.6?



  • @hoba:

    You don't need to portforward to the lan IP pf the pfSense to access it. Just create a firewallrule on WAN for the desired protocols and ports with destination WAN IP Adress. It will substitute it with the current WAN IP. To access internal hosts you need portforwards and a firewallrule to allow the traffic. The easiest way is to let the firewallrule be autocreated when adding the portforward.

    I tried not creating a nat to access my box from outside, but it doesn't work. Might have something to do with my custom port for https.



  • by default, the pfsense box is already exposed to internet. You don't need to create NAT for it unless you want it to access the internal ip of the pfsense box.

    One of my question is, which option in the drop down box is the correct way to reference to this pfsense wan connection?

    WAN address
    PPPOE client

    We definitely can't specify ip address because when we dial using pppoe, we will get different IP address. Therefore, my closest deduction is to choose WAN address. But the problem is, it doesn't work. And we have no way of checking because documentation is inadequate. Is it because I did the config wrongly? Or is it because something wrong with my installation? Or is it my kernel? Or is it other problems?

    I don't blame the developer because they just don't have time but how about creating some SIMPLE setup examples of pfsense? Even m0n0wall's docs are very lacking.

    Look at shorewall. They have a very good example of 2 NIC network config, 3 NIC network config and all the most common network setup example which people could follow and reference easily.

    http://www.shorewall.net/shorewall_quickstart_guide.htm



  • You want WAN-adress.


Locked