Access wireless AP on the Lan side from internet

taktje

So now i only have dmz to 192.168.11.17
and a nat rule (see picture)

In my webbrowser i typ: http://82.73.xxx.xxx:20000

and after 20 sec i get "webpage cannot be found"

johnpoz

and are you doing that from OUTSIDE your network??  And your sure your AP web gui interface is listening on 20000, you can access that using http:\192.168.1.2:20000

edit
And that forward does not look right either - and did you let it create your firewall rule?

See how for dest in the nat it says wan address.  Wondering if putting in direct address like that might screw up your auto firewall rules?

A way you can check if the forward is working is to use canyouseeme.org – see my test to my slingbox port on 5001

taktje

I changed it

taktje

created wan rule (automaticly)

canyouseeme.org say's port 20000 blocked (timed out)

So i type http://82.73.xxx.xxx:20000 nothing happens (ofcourse)

ptt

Just a "friendly" advice, dont "put" your public ip address on a public forum, also, PLEASE change the default admin password of your pfSense

stephenw10

You could try connecting from a machine in the LAN of your router. This would prove your pfSense portforward and firewall rules.
You must have something right because I am able to connect to your pfSense box on https://redacted:18474/

Steve

Edit: Yes change your Password!  ::)

Though that did enable me to see your port forward in now on port 24000 and for me this returns: "invalid request" so perhaps your AP has a restriction on where you are allowed to connect to it's admin interface.

taktje

holy shit,

I'm so in to it that i gave away my public ip ;D ;D ;D ;D ;D

steve can you remove my public ip please!!!!!

taktje

i'm playing with the portnumbers but i've set them back to 20000
can you please login again and see whats wrong?

stephenw10

I've enabled logging on the firewall rule associated with the port forward and I can see my requests being allowed but nothing is being returned.
Have you set the AP web interface to port 20000?
Another possibility is that there is no return route. Though that seems unlikely.

Steve

taktje

port 3475 access router is open (canyouseeme.org)
port 18474 access pfsense is open (canyouseemee.org)

port 20000 is closed
according to the nat rule it must be open or i'm i wrong

johnpoz

And again!!!  Can you connect from your lan machine to http:\192.168.1.2:20000

Not sure if you just making these ports up or what?

You can do a nat all day long - if thats not the port its listening on its not going to work.  Nor if you have the firewall wan rule that allows the traffic its not going to work either.

I find it unlikely that your isp is blocking that port but allowing your other 18k port something.

Other issue you can run into is if your router in front of your pfsense is blocking that port specific, or is forwarding it to something else that doesn't work then it would show closed, etc.

We are at three pages on something that takes literally 3.2 seconds to do.

edit - also as mentioned already its possible your AP blocks access to this gui from network other than its local network, etc.

taktje

i can acces my Wlan AP by http://192.168.1.2:20000

taktje

look at my picture.

It's working from my lan..

johnpoz

What specific device is this so we can look up the manual to see if it blocks access to its gui, etc.

edit:  this has really gone on way too long.  If you PM me your ip and login info I will get in and take a look.

stephenw10

Ok, looking at your pfSense config I see you are using a static IP on your AP. Have you set a gateway and DNS servers?
If you haven't then it will not have a return route for web requests except that from inside it's own subnet.
That is what we are seeing.

Steve

johnpoz

Thanks for letting me to your router as well as the pfsense - that was the key.  I would highly suggest you make harder passwords.  And even think hard and long to why you would want to allow remote access into your router in the first place.  Better option is VPN into your network, and then access your stuff via the vpn connection.  This is going to be way more secure than just web gui open to the public.

here is your problem - you have UPnP forwarding that 20000 port to a different IP.

I would really suggest you TURN OFF UPnP!!

This over rides your DMZ host for those ports, I mentioned that as possible problem a few posts back ;)

taktje

my Wlan AP

webport set

Network settings

johnpoz

I can can get back in and fix it for you.. But now that you know what the problem is - you can fix it yourself I think ;)

stephenw10

Nice spot.  ;)
I totally missed that.

Steve

johnpoz

Also while I was on your router "TL-WR1043ND"  And yup public on its wan – so why do you have that router in front of your pfsense box??  At a loss to why you want to double nat like your doing?