SOLVED : accessing internal network from wan side

  • hello,

    i have a pfsense box connected to a campus network (by WAN 134.214.116.X/22) to serve wireless client with captive portal login.
    all pc are configured by static dhcp (, and register static dhcp in dns forwarded is checked.

    now, wireless client behind pfsense can see and communicate (windows networking) each others and all other pcs on the campus network.
    but the problem is that wireless users are not reachable from any of the campus network

    any idea to resolve this  ?



  • Is this a NAT or Routing setup? If it's a natting setup you would need a lot of IPs to 1:1 nat them and allow access to them. However it's getting quite confusing as their campus IP would be different from their private IP. If you do routing you only have to add firewallrules. However all clients at the campus network then would need a route back to your subnet.

  • pfsense is acting as a gateway… so it is a NAT setup
    i have tried to 1:1 NAT for some IP (i have add also virtual IP), in this way internal ip is seen as a public ip and i can ping from lan to outside. but pings are not possible from a pc on the campus to the pulic ip used for 1:1 NAT

  • Probably a firewallrule issue- Check your rules and status>systemlogs, firewall tab for blocked traffic.

  • may be, i cannot also ping the server wan adress from outside

  • By default the pfSense doesn't answer to anything at WAN. You have to add rules for everything that should be allowed. Not answering to pings is default behaviour.

  • hi,
    i have add a rule on wan interface : any to any but pfsense still not pingeable

  • My way (default pfSense install ) echo from wan

  • still not working here

  • Do you see the blocked traffic at status>systemlogs, firewall? If yes your rules are not correct. If no something in front of you allready is filtering the traffic.

  • i see a lot of blocked rules /IP

    the actual rule i have now on WAN interface is
    Intergace : WAN
    Source : Any
    Destination : LAN subnet

    What should i change ?

    pfsense WAN IP :
    VIP :
    NAT 1:1 : to internal IP :

  • now and after a reboot, only the WAN IP adress is pingeable from outside but not Virtual IPs.

    system log show that ping requests are blocked at wan side

    Interface : WAN
    Source : Any
    Destination :


    Interface : WAN
    Source : Any
    Destination : WAN adress

    protocol : Any in both cases

  • What version are you running? Sounds like 1.0 which had a rule apply bug under some circumstances. I recommend upgrading.

  • I am running the 27-02- Snapshot.
    I am sure that it is a firewall problem because I see in syslogs that ping to my VIP are blocked…

  • Btw, we do not redirect protocol ICMP, so this won't be natted. In case you want to make the VIP pingable you have to use type CARP (currently the only virtual IP that allows for ICMP) and add an firewall rule at WAN for protocol ICMP, source any, destination virtual WAN IP.

  • that is exactely what i have done but with Proxy ARP.

    if i move to crap, I get this error message :
    Sorry, we could not locate an interface with a matching subnet for Please add an ip in this subnet on a real interface

  • CARP IPs have to use the real interfaces subnet, not /32.

  • the same message :
    Sorry, we could not locate an interface with a matching subnet for Please add an ip in this subnet on a real interface

    note that on wan i use 134.214.116.x/22 subnet and on lan side : 192.168.10.x/24

  • Is your WAN VIP part of the original WAN subnet? If not CARP won't be an option here.

  • yes
    my main internet IP adress is /22 … in the same range

  • so ? it is a bugg ?

  • I don't have the possibility to test atm. It used to work.

  • i moved my LAN network from to

    now i can use CRAP for virtual IP but i still cannot ping VIP from outside.

    but now i can ping them from pfsense LAN side …. strange !!

    looks like NAT 1:1 working in 1 way

  • ICMP is not natted You have to allow icmp to your wan vip. Btw, it's CARP and not CRAP  ;)

  • already done, but still not working

  • hi,

    I have downgrade to 1.0.1 release (29 october) and i have configured again CARP VIP, NAT and Rules … and it works ! I can ping VIP from outside.
    i have add 3 others nated VIP, and reboot... now it dosen't work again and impossible to get it working !
    firewall logs dosen't show any blocked ICMP to VIP or nated IP

    Strange !! ?

  • I am using now 15/03 snapshot … and VIP are not pingeable from outside !!

  • It works now with the latest snapshot (23-03-2007) !!

    but any chance to have a NAT 1:1 with apple talk compatibility ?