Access wireless AP on the Lan side from internet
-
What?? That is from your router, thought you said the pfsense wan IP was in the DMZ..
"In my router set DMZ: 192.168.11.17"
There is no reason to forward anything then on your "router" Placement of the pfsense wan IP in the DMZ or "exposed host" as some routers call it means all UNSOLICITED traffic that ends up at your routers wan of that 82.x address that does not currently match up with a state on your router will be sent on to your pfsense wan IP, ie the 192.168.11.17
So You have to forward this traffic on your pfsense box to wlan AP – whatever port that might be.
-
i have dmz set to 192.168.11.17 i upload the wrong picture.
But i forgot to remove the port forward so i have both
who will please login an help me out.
I'm totaly lost now.
Why must i learn it the hard way :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'( :'(
-
Hard way? What?
Dude if I log in an fix it for you - what have you learned other than to have someone log in and fix it when you don't understand.
Its basic port forwarding - at a loss to why you do not get.
Pfsense is natting from 192.168.11.17 to IPs in the 192.168.1.x range. If you want to access port X on 192.168.1.2 then you need to tell pfsense to forward port X to port X to 192.168.1.2
Thats all there is too it. Your DMZ setting on your first router forwards ALL ports coming from the internet to your pfsense IP, now you just need to tell pfsense where to send this port X.
You sure and the hell do not need any special route commands in your double nat setup from what you have posted.
But what I am curious on is WHY you have a router in front of your pfsense in the first place? What are the makes and models of your modem and router. Maybe its just the fact that you have a double nat setup that is confusing you? maybe we can remove that for you? Please post up the make and model numbers of your modem and router and we can lookup if we can.
-
Whilst I agree that double NAT is bad it will almost certainly work fine and you can work on bridging your modem later.
You have your port forwarding setup wrong on pfSense. You should have Destination address as your WAN IP and NAT IP set to your internal WLAN access point. See my screenshot as an example.
Steve
-
So now i only have dmz to 192.168.11.17
and a nat rule (see picture)In my webbrowser i typ: http://82.73.xxx.xxx:20000
and after 20 sec i get "webpage cannot be found"
-
and are you doing that from OUTSIDE your network?? And your sure your AP web gui interface is listening on 20000, you can access that using http:\192.168.1.2:20000
edit
And that forward does not look right either - and did you let it create your firewall rule?See how for dest in the nat it says wan address. Wondering if putting in direct address like that might screw up your auto firewall rules?
A way you can check if the forward is working is to use canyouseeme.org – see my test to my slingbox port on 5001
-
I changed it
-
created wan rule (automaticly)
canyouseeme.org say's port 20000 blocked (timed out)
So i type http://82.73.xxx.xxx:20000 nothing happens (ofcourse)
-
Just a "friendly" advice, dont "put" your public ip address on a public forum, also, PLEASE change the default admin password of your pfSense
-
You could try connecting from a machine in the LAN of your router. This would prove your pfSense portforward and firewall rules.
You must have something right because I am able to connect to your pfSense box on https://redacted:18474/Steve
Edit: Yes change your Password! ::)
Though that did enable me to see your port forward in now on port 24000 and for me this returns: "invalid request" so perhaps your AP has a restriction on where you are allowed to connect to it's admin interface.
-
holy shit,
I'm so in to it that i gave away my public ip ;D ;D ;D ;D ;D
steve can you remove my public ip please!!!!!
-
i'm playing with the portnumbers but i've set them back to 20000
can you please login again and see whats wrong? -
I've enabled logging on the firewall rule associated with the port forward and I can see my requests being allowed but nothing is being returned.
Have you set the AP web interface to port 20000?
Another possibility is that there is no return route. Though that seems unlikely.Steve
-
port 3475 access router is open (canyouseeme.org)
port 18474 access pfsense is open (canyouseemee.org)port 20000 is closed
according to the nat rule it must be open or i'm i wrong -
And again!!! Can you connect from your lan machine to http:\192.168.1.2:20000
Not sure if you just making these ports up or what?
You can do a nat all day long - if thats not the port its listening on its not going to work. Nor if you have the firewall wan rule that allows the traffic its not going to work either.
I find it unlikely that your isp is blocking that port but allowing your other 18k port something.
Other issue you can run into is if your router in front of your pfsense is blocking that port specific, or is forwarding it to something else that doesn't work then it would show closed, etc.
We are at three pages on something that takes literally 3.2 seconds to do.
edit - also as mentioned already its possible your AP blocks access to this gui from network other than its local network, etc.
-
i can acces my Wlan AP by http://192.168.1.2:20000
-
look at my picture.
It's working from my lan..
-
What specific device is this so we can look up the manual to see if it blocks access to its gui, etc.
edit: this has really gone on way too long. If you PM me your ip and login info I will get in and take a look.
-
Ok, looking at your pfSense config I see you are using a static IP on your AP. Have you set a gateway and DNS servers?
If you haven't then it will not have a return route for web requests except that from inside it's own subnet.
That is what we are seeing.Steve
-
Thanks for letting me to your router as well as the pfsense - that was the key. I would highly suggest you make harder passwords. And even think hard and long to why you would want to allow remote access into your router in the first place. Better option is VPN into your network, and then access your stuff via the vpn connection. This is going to be way more secure than just web gui open to the public.
here is your problem - you have UPnP forwarding that 20000 port to a different IP.
I would really suggest you TURN OFF UPnP!!
This over rides your DMZ host for those ports, I mentioned that as possible problem a few posts back ;)
