Port forwarding with multiwan
-
My pfsense setup has 2 WAN + 1 LAN. The WANS are named WAN2 and WAN3. WAN2 modem is directly connected to the NIC of the pfsense box. There is a linksys router (let's calls this WAN3 router) in between a NIC of the pfsense box and the WAN3 modem to avoid potential same modem gateway since they are from the same ISP.
I am in another house right now trying to access all my devices connected to that pfsense network. Here are my port forwarding rules:
So basically I setup WAN2 address as a dynDNS address and I want to access these internal IP address from here:
1.) 192.168.1.1 (pfsense web configurator)
2.) 192.168.102.2 (WAN2 modem configurator)
3.) 192.168.101.1 (WAN3 modem configurator)
4.) 192.168.1.2 (linksys wireless access point web configurator)
5.) 192.168.3.1 (WAN3 router web configurator)
6.) 192.168.1.200 (media server web configurator)Now, numbers 1, 2, and 6 work with no problems. What I don't understand is why I can't seem to access numbers 3, 4, and 5? What could be possibly wrong with my rules?
By the way, the firewall rules for these NAT rules were automatically generated by pfsense already.
Hoping for some help here. Thanks.
-
Did you enable sticky connections?
-
Did you enable sticky connections?
No, the only setting I enabled under Advanced Settings is "Allow default gateway switching".
-
Try it with sticky connections.
-
Try it with sticky connections.
But I don't want to enable sticky connections since I set my firewall to allow LAN traffic to load balance (combine) the sppeds of both of my modems. Turning ON sticky connections will not allow multi-threaded download from both modems.
I don't think that sticky connections is the problem here. As I've said I can access number 1, 2, and 6 without any problems. There is something wrong with my rules but I don't know which one. Did you read the whole OP?
-
Perhaps you can go to Services -> Load Balancer and setup your virtual servers in there.
I would expect 4 to work also, but perhaps more information is needed.What are your interface IPs and subnets and what are the default gateways of the ones that are not working? You could have a split route problem.
-
Perhaps you can go to Services -> Load Balancer and setup your virtual servers in there.
I would expect 4 to work also, but perhaps more information is needed.What are your interface IPs and subnets and what are the default gateways of the ones that are not working? You could have a split route problem.
What's the difference of port forwarding and setting up virtual servers? They are both inbound connections, right?
Here's a snapshot of my interfaces:
I removed, from this picture, the MAC addresses of the three interfaces, and WAN2 IP and Gateway (because these are external IPs provided by the ISP), mainly for security purposes.
What do you mean by split route problem?
-
Split route is that packets come in from one router and tries to leave out another.
virtual servers are for load balancing where port forwards are not. I have not set this part up so I don't know the finer details.
-
None of this has any relation to sticky, don't enable it. And don't setup the load balancer, that's not what you want here.
#4 is almost certainly because that device has no default gateway configured. A less likely possibility but one we see on APs quite a bit is it refuses to use its default gateway. Packet capture on LAN filtering on that IP, if it goes out and gets no response, it's one of those.
#3 and #5 are harder to guess, check with packet capture to see what's leaving that interface.
-
@cmb:
None of this has any relation to sticky, don't enable it. And don't setup the load balancer, that's not what you want here.
#4 is almost certainly because that device has no default gateway configured. A less likely possibility but one we see on APs quite a bit is it refuses to use its default gateway. Packet capture on LAN filtering on that IP, if it goes out and gets no response, it's one of those.
#3 and #5 are harder to guess, check with packet capture to see what's leaving that interface.
Hmmm, I'm not sure what you mean. Can you give me some step-by-step troubleshooting?
-
BUMP!
-
Can anyone help me here? Really?
-
Packet capture by means of tcpdump on the LAN interface to see if the traffic from those devices are getting to the firewall. If they are not, then you have a network misconfiguration that you are going to have to correct. First is to insure that all your devices are using the proper gateway. The WAN3 remote access, since it is a router itself, will not be using the pfSense firewall as its gateway. This will return traffic in a different direction that is intended. I don't think there is much you can do here except for access a machine behind pfsense and remoting to it or do some sort of source NAT to mask where you are coming from.
-
Packet capture by means of tcpdump on the LAN interface to see if the traffic from those devices are getting to the firewall. If they are not, then you have a network misconfiguration that you are going to have to correct. First is to insure that all your devices are using the proper gateway. The WAN3 remote access, since it is a router itself, will not be using the pfSense firewall as its gateway. This will return traffic in a different direction that is intended. I don't think there is much you can do here except for access a machine behind pfsense and remoting to it or do some sort of source NAT to mask where you are coming from.
But from the LAN side I can properly connect to the WAN3 modem throught the WAN3 gateway (WAN3 router)? That's what's port forward does, right?
-
That is what port forward is doing and it is working correctly. The problem you have is a routing one.
The packet when it gets to the destination is going to have the same source. So if you come from an internet based one with the port forward rule, you are only transforming the destination to get to the WAN3 address. When the packet gets to the WAN3 address it sees a source from the internet and its internal routing tells it to go back a different way than it came.
When you are connecting from within the LAN, you are then using outbound NAT and transforming the source and not the destination. When the packet gets to WAN3, it sees the address of the FW and since it is on the same network returns the traffic to the FW. The firewall, since it has a state open, returns that traffic to source computer.
If you are going to have internet route-able address coming in from WAN2 and crossing the firewall, then you are going to have to transform both destination, with portforward, and source, with manual outbound NAT.
I have never done this with pfSense, but I have and continue to do this with Linux and iptables (pre and post routing). It should be possible though.
You could always have a system up behind the FW to aid in managing those things. -
That is what port forward is doing and it is working correctly. The problem you have is a routing one.
The packet when it gets to the destination is going to have the same source. So if you come from an internet based one with the port forward rule, you are only transforming the destination to get to the WAN3 address. When the packet gets to the WAN3 address it sees a source from the internet and its internal routing tells it to go back a different way than it came.
When you are connecting from within the LAN, you are then using outbound NAT and transforming the source and not the destination. When the packet gets to WAN3, it sees the address of the FW and since it is on the same network returns the traffic to the FW. The firewall, since it has a state open, returns that traffic to source computer.
If you are going to have internet route-able address coming in from WAN2 and crossing the firewall, then you are going to have to transform both destination, with portforward, and source, with manual outbound NAT.
I have never done this with pfSense, but I have and continue to do this with Linux and iptables (pre and post routing). It should be possible though.
You could always have a system up behind the FW to aid in managing those things.Oh ok, I understand. What I don't understand though is why can I access WAN2 modem (192.168.102.2) but not the wifi access point (192.168.1.2) when they are both directly connected to the interfaces installed in the FW?
-
As cmb said, it could have no gateway or it does not use it. It is best to put a tcpdump on the pfsense LAN while you try to access it and see if it is returning any packets. If not, then your AP is either not configured correctly or just ignores your settings.
-
As cmb said, it could have no gateway or it does not use it. It is best to put a tcpdump on the pfsense LAN while you try to access it and see if it is returning any packets. If not, then your AP is either not configured correctly or just ignores your settings.
Ok, so that's my first step in this troubleshooting. Should I post the results here?