SOLVED : accessing internal network from wan side

hchady · Mar 1, 2007, 3:01 PM

hello,

i have a pfsense box connected to a campus network (by WAN 134.214.116.X/22) to serve wireless client with captive portal login.
all pc are configured by static dhcp (192.168.10.0/24), and register static dhcp in dns forwarded is checked.

now, wireless client behind pfsense can see and communicate (windows networking) each others and all other pcs on the campus network.
but the problem is that wireless users are not reachable from any of the campus network

any idea to resolve this ?

thanks

chady

hoba · Mar 1, 2007, 4:42 PM

Is this a NAT or Routing setup? If it's a natting setup you would need a lot of IPs to 1:1 nat them and allow access to them. However it's getting quite confusing as their campus IP would be different from their private IP. If you do routing you only have to add firewallrules. However all clients at the campus network then would need a route back to your subnet.

hchady · Mar 1, 2007, 6:09 PM

pfsense is acting as a gateway… so it is a NAT setup
i have tried to 1:1 NAT for some IP (i have add also virtual IP), in this way internal ip is seen as a public ip and i can ping from lan to outside. but pings are not possible from a pc on the campus to the pulic ip used for 1:1 NAT

hoba · Mar 1, 2007, 6:42 PM

Probably a firewallrule issue- Check your rules and status>systemlogs, firewall tab for blocked traffic.

hchady · Mar 2, 2007, 9:02 AM

may be, i cannot also ping the server wan adress from outside

hoba · Mar 2, 2007, 2:37 PM

By default the pfSense doesn't answer to anything at WAN. You have to add rules for everything that should be allowed. Not answering to pings is default behaviour.

hchady · Mar 5, 2007, 8:42 AM

hi,
i have add a rule on wan interface : any to any but pfsense still not pingeable

Perry · Mar 5, 2007, 9:25 AM

My way (default pfSense install ) echo from wan

hchady · Mar 5, 2007, 9:50 AM

still not working here

hoba · Mar 5, 2007, 12:09 PM

Do you see the blocked traffic at status>systemlogs, firewall? If yes your rules are not correct. If no something in front of you allready is filtering the traffic.

hchady · Mar 5, 2007, 12:34 PM

i see a lot of blocked rules /IP

the actual rule i have now on WAN interface is
Intergace : WAN
Source : Any
Destination : LAN subnet

What should i change ?

pfsense WAN IP : 134.214.116.244
VIP : 134.214.116.30
NAT 1:1 : 134.214.116.30 to internal IP : 192.168.10.200

hchady · Mar 5, 2007, 2:16 PM

now and after a reboot, only the WAN IP adress is pingeable from outside but not Virtual IPs.

system log show that ping requests are blocked at wan side

rules
Interface : WAN
Source : Any
Destination : 134.214.116.30

and

Interface : WAN
Source : Any
Destination : WAN adress

protocol : Any in both cases

hoba · Mar 5, 2007, 6:14 PM

What version are you running? Sounds like 1.0 which had a rule apply bug under some circumstances. I recommend upgrading.

hchady · Mar 6, 2007, 9:10 AM

I am running the 27-02- Snapshot.
I am sure that it is a firewall problem because I see in syslogs that ping to my VIP are blocked…

hoba · Mar 6, 2007, 11:59 AM

Btw, we do not redirect protocol ICMP, so this won't be natted. In case you want to make the VIP pingable you have to use type CARP (currently the only virtual IP that allows for ICMP) and add an firewall rule at WAN for protocol ICMP, source any, destination virtual WAN IP.

hchady · Mar 6, 2007, 12:33 PM

that is exactely what i have done but with Proxy ARP.

if i move to crap, I get this error message :
Sorry, we could not locate an interface with a matching subnet for 134.214.116.30/32. Please add an ip in this subnet on a real interface

hoba · Mar 6, 2007, 12:35 PM

CARP IPs have to use the real interfaces subnet, not /32.

hchady · Mar 6, 2007, 12:53 PM

the same message :
Sorry, we could not locate an interface with a matching subnet for 134.214.116.30/22. Please add an ip in this subnet on a real interface

note that on wan i use 134.214.116.x/22 subnet and on lan side : 192.168.10.x/24

hoba · Mar 6, 2007, 1:12 PM

Is your WAN VIP part of the original WAN subnet? If not CARP won't be an option here.

hchady · Mar 6, 2007, 1:16 PM

yes
my main internet IP adress is 134.214.116.244 /22 … in the same range