Help on setup WAN - Lan Routing and Port Forwarding



  • I have installed on a virtual machine the pfsense with two network interfaces .
    Both interfaces are bridged .

    I have a router one adsl modem router ZTX  with ip 192.168.1.1
    and my first interface for WAN on pfsense has the ip 192.168.1.2  with 192.168.1.1(gateway).
    the other interface for the LAN has 192.168.180.1.100 / 255.255.255.0 / 192.168.1.2(gateway)

    I have a client with static ip on the lan 192.168.1.200 that runs a web server at port 80.

    I also installed squid proxy  on pfsense .
    Everything is working for the clients , they do have internet and the go out to internet through the wan interface.

    Now , how can i publish the web server outside ? how i will  forward the port 80 so if anyone hits the adsl IP to be forwarded to my LAN web server ?
    i have an ftp lan server to another computer inside the lan that i believe with the same procedure will be redirected also.

    I dont want to use the forwarding module from the adsl router to forward port 80.

    And how can i also restrict everyone not to go through the gateway 192.168.1.1 and use always the 192.168.1.2 (pfsense gateway)?

    ???



  • If your users are on the 192.168.1.0/24 network, and they are getting DHCP from the modem, they will probably get the gateway of 192.168.1.1. pfSense by default will block private IPs and using a gateway of 192.168.1.2 will not allow traffic to pass. You users and server needs to be in the 192.168.180.0/24 for pfSense to properly pass traffic.

    Even still, since pfSense is not the edge router (NAT from ZTX) you are going to have to use the modems port forward to push that traffic to pfsense, which can then push it to the web server.

    If you let pfSense handle the DSL authentication, you can generally have it pull an IP directly. You will need to put your DSL in bridge mode for that to work.



  • @podilarius:

    If your users are on the 192.168.1.0/24 network, and they are getting DHCP from the modem, they will probably get the gateway of 192.168.1.1. pfSense by default will block private IPs and using a gateway of 192.168.1.2 will not allow traffic to pass. You users and server needs to be in the 192.168.180.0/24 for pfSense to properly pass traffic.

    Even still, since pfSense is not the edge router (NAT from ZTX) you are going to have to use the modems port forward to push that traffic to pfsense, which can then push it to the web server.

    If you let pfSense handle the DSL authentication, you can generally have it pull an IP directly. You will need to put your DSL in bridge mode for that to work.

    Thank you for your reply ,
    I have the dhcp enabled by pfSense , (and i made a mistage the lan interafe for the client are 192.168.1.100 not 192.168.(180).)

    the lan interface is on 192.168.1.0/24 and i have 2 server on is web on .100 and another one ftp on .200 .

    all the clients also the servers have as gateway the pfsense 192.168.1.2 , and the pfsense also is connected with the "WAN" 192.168.1.1 .

    i have set on the adsl modem to forward all the port 10-10000 to the pfsense wan interface (192.168.1.2)  i dont know if this is the first step  , and what i should setup
    on pfsense on nat in order to move the 80 and 21 port  to the two server.



  • Thanks for the clarification on the setup. You have a configuration problem. You must have seperate network on WAN and LAN. They cannot be the same unless you are bridging other wise pfsense will not route traffic properly. You should not be able to ping your router from within the LAN as the pfsense will never be contacted. I do see how this could work for internet addresses. You can try the port forward setup so that port 80 gets forwarded over to the server, but this is not a clean setup and I would be unsure of the behavior.



  • This is how my scenario looks like.
    ISP -> Router -> pfsense for firewall proxy gateway etc - > lan + 2 servers with 80 , 21 ports open




  • this is pretty much how i imagined it. have the same subnets on both sides of the firewall is not a good idea unless you are running a filtering bridge. If you are not, then you will want to change the setup to be something like:

    ISP <–->Modem (192.168.1.1) <---> (192.168.1.2) pfSense (192.168.2.1) <---> Switch <---> (192.168.2.100) Server

    This is still a double NAT, but it is more "correct" and will route traffic much better.

    My setup is:

    ISP <----> Modem in bridge <----> (Real External IP) pfsense (private internal IP) <---> switch
    My pfsense does my ISP authentication.



  • @podilarius:

    this is pretty much how i imagined it. have the same subnets on both sides of the firewall is not a good idea unless you are running a filtering bridge. If you are not, then you will want to change the setup to be something like:

    ISP <–->Modem (192.168.1.1) <---> (192.168.1.2) pfSense (192.168.2.1) <---> Switch <---> (192.168.2.100) Server

    This is still a double NAT, but it is more "correct" and will route traffic much better.

    My setup is:

    ISP <----> Modem in bridge <----> (Real External IP) pfsense (private internal IP) <---> switch
    My pfsense does my ISP authentication.

    lets say that my modem has an IP 10.0.0.1 and the other point of pfsense has 10.0.0.2WAN and 192.168.1.1LAN

    none of my lan can access the modem  because they are on  another network , the pfsense router correctly the traffic through clients and modem,
    for example a client with ip 192.168.1.100 and gateway 192.168.1.1 can surf .
    Now the point is how i can forward the port 80 from my ISP IP to this client….

    all ports from the modem are forwarded to 10.0.0.1 and i want the incoming traffic from my ISP to the port 80 to go direct to 192.168.1.100 webserver for reply.

    is there any solution?



  • At present, from what you say, INCOMING traffic on Port 80 is basically being forwarded by your modem/router to Pfsense.
    So all you should need to do is simply add a port forwarding rule for port 80 to the IP of your server.

    so in Firewall menu select NAT, then create a new rule under the Port Forwarding tab
    Set these settings:
    interface -> WAN
    Protocol -> TCP
    Destination -> WAN Address
    Destination Port Range -> HTTP (port 80)
    Redirect Target IP -> 192.168.1.100
    Filter Rule Association -> Create Associated Filter rule

    other stuff can I think be left as default.

    And that should be it…. It's just a simple port forward operation really, unless I'm misreading something.


Log in to reply