Access wireless AP on the Lan side from internet
-
And again!!! Can you connect from your lan machine to http:\192.168.1.2:20000
Not sure if you just making these ports up or what?
You can do a nat all day long - if thats not the port its listening on its not going to work. Nor if you have the firewall wan rule that allows the traffic its not going to work either.
I find it unlikely that your isp is blocking that port but allowing your other 18k port something.
Other issue you can run into is if your router in front of your pfsense is blocking that port specific, or is forwarding it to something else that doesn't work then it would show closed, etc.
We are at three pages on something that takes literally 3.2 seconds to do.
edit - also as mentioned already its possible your AP blocks access to this gui from network other than its local network, etc.
-
i can acces my Wlan AP by http://192.168.1.2:20000
-
look at my picture.
It's working from my lan..
-
What specific device is this so we can look up the manual to see if it blocks access to its gui, etc.
edit: this has really gone on way too long. If you PM me your ip and login info I will get in and take a look.
-
Ok, looking at your pfSense config I see you are using a static IP on your AP. Have you set a gateway and DNS servers?
If you haven't then it will not have a return route for web requests except that from inside it's own subnet.
That is what we are seeing.Steve
-
Thanks for letting me to your router as well as the pfsense - that was the key. I would highly suggest you make harder passwords. And even think hard and long to why you would want to allow remote access into your router in the first place. Better option is VPN into your network, and then access your stuff via the vpn connection. This is going to be way more secure than just web gui open to the public.
here is your problem - you have UPnP forwarding that 20000 port to a different IP.
I would really suggest you TURN OFF UPnP!!
This over rides your DMZ host for those ports, I mentioned that as possible problem a few posts back ;)
-
my Wlan AP
webport set
Network settings
-
I can can get back in and fix it for you.. But now that you know what the problem is - you can fix it yourself I think ;)
-
Nice spot. ;)
I totally missed that.Steve
-
Also while I was on your router "TL-WR1043ND" And yup public on its wan – so why do you have that router in front of your pfsense box?? At a loss to why you want to double nat like your doing?
-
It doesn't explain why it didn't work at port 24000 though. Or that I could see in the logs traffic being correctly forwarded in pfSense. :-\
Steve
-
Upnp disabled but still can't loggin.
-
I don't know why it wouldn't of worked on 24000, unless he didn't change his AP to that port? He had some bad state on his pfsense for that port? Or his router in front of his pfsense - with ports above 1024 on a nat box handling multiple machines it looks like - its quite possible there was a state already for 24000.
From his UPnP he is running torrents, so those are going to create lots and lots of connections.. So you have no idea how many states are already in play. So say his router had a state where 24000 source on its wan. And then some other connection came in for that - what would it do? Would it not allow the connection because not same IP as the state, or would it forward to send it on through - depends on what type of nat that router was set for.
Double NAT not good idea - you can have all kinds of weird shit happen ;)
-
Read my above posts about states! And nats!
-
What about my Wlan AP Network settings(see picture in previous post)?
-
Dude you got some really funked up settings.. Why are you cloning to this mac on your wan of that router 00-21-00-0E-E1-55, and what does that match up with?
Why do you have target settings? for something? From the dhcp log – you have pfsense wan on dhcp, and there are other devices on this 192.168.11 network as well..
I did not see anywhere a place to clear the states on your router -- I would reboot it. This will make sure your states are clear on it, and then we can try and access and verify that the 20000 port hits the pfsense even if not working, etc.
-
i did mac binding so my pfsense box always gets the same ip
and i will reboot my router now
-
It looks like it's definitely getting through pfSense but not back again to me.
For example look at the attched state table. You can see myself connected to the pfSense webgui and trying to connect to the AP.
It's clearly opening states to do it.Steve
-
mac binding?? That is not cloning which is what I saw you had - that has nothing to do with getting the same IP from a dhcp reservation.
Also – you clearly had looks like utorrent traffic going to both ports 24000 and 20000
Jun 22 22:58:46 WAN 79.112.184.127:59451 192.168.11.17:20000 UDP
block
Jun 22 22:58:53 WAN 178.75.95.24:24780 192.168.11.17:20000 UDP
block
Jun 22 22:58:53 WAN 95.65.56.78:42209 192.168.11.17:24000 UDP
block
Jun 22 22:58:55 WAN 114.203.243.49:32177 192.168.11.17:24000 UDP
block
Jun 22 22:58:56 WAN 177.9.61.145:19731 192.168.11.17:24000 UDP
block
Jun 22 22:58:56 WAN 202.161.233.70:12395 192.168.11.17:24000 UDP
block
Jun 22 22:58:56 WAN 62.43.135.1:15937 192.168.11.17:24000 UDP
block
Jun 22 22:58:58 WAN 194.144.80.242:39754 192.168.11.17:24000 UDP
block
Jun 22 22:58:59 WAN 82.159.1.187:42846 192.168.11.17:24000 UDP
block
Jun 22 22:58:59 WAN 178.75.95.24:24780 192.168.11.17:20000 UDP
block
Jun 22 22:59:00 WAN 194.144.80.242:39754 192.168.11.17:24000 UDP -
What I would suggest you do is take this router out of the picture all together?
Why do you have it in front of pfsense - which I can assure you is a much more feature rich/robust router/firewall that that tp-link soho box.
If you want to use the tp for ports, sure it can be a dump switch/ap just fine - there is little reason to have it NATing your public internet connection to private, just to do it again with pfsense.
At a loss to why anyone does this??
