Help - new install



  • Hi there

    I'm trying to use pfsense as a permiter firewall.  I have one internal LAN host (open e SAN) on 192.168.0.220
    and I'm trying to ping it from the Wan side and connect to it on port 80 and ssh.

    The Wan address 177.12.107.5 is on a /26 network and the LAN address on /31 (255.255.255.0)

    I think I need to set up a 1:1 mapping in Firewall -> Nat -> 1:1 but I don't understand which fields
    I need to set up. There are four in Nat -> 1:1 :

    Interface -> Wan
    External subnet IP -> 177.12.107.5
    Internal IP -> any
    Destination -> Single host or alias -> 192.168.1.220/31

    Is this correct please and do I need to set up a rule in the outbound NAT to route port 80 and ssh
    traffic back out? I can't ping 177.12.107.5 nor connect on port 80 or ssh at the moment. Do I need
    to set up any Virtual IPs or anything else?

    Many thanks
    Dude



  • First, 255.255.255.0 is not a /31, it is a /24. Second, neither a /31 or a /24 subnet on 192.168.0.220 would be able to get to 192.168.1.220. Unless there is a typo in your post.

    You don't need to setup any NAT if you just want to get to the GUI on the WAN address. Just setup the firewall rules to allow port 80 and 443 (or any custom port you set) to the WAN address (an actual option in the firewall rule edit wizard).

    You must remember that the default rule is to drop all packets. This is the last rule in the chain, so  you must allow traffic, this also includes ICMP protocol for you to be able to ping the WAN address.



  • @BigLebowski:

    The Wan address 177.12.107.5 is on a /26 network and the LAN address on /31 (255.255.255.0)

    
    255.255.255.0   == /24
    255.255.255.196 == /26
    255.255.255.254 == /31
    
    

    And minimum subnet which works is /30 and addresses is used: subnetname, host1(usually gw), host2 and broadcast



  • Thanks guys

    The /31 was a typo, the internal range is indeed /24. I got the "/31" from the Firewall: NAT: 1:1 -> Internal IP setting (greyed out in Single host -> Single host or alias box). Why is /31 in there by default?

    I want to be able to ping 192.168.1.220 from any external WAN IP (by pinging 177.12.107.5 which should be routed via the external /26 WAN network). Then, once that's working, I want to SSH to 192.168.1.220 (again via 177.12.107.5) and access it on port 80 from anywhere.

    I am unsure about how to set this up. Does it require just one entry in the Firewall: NAT: 1:1 table or do I also need to set up Nat -> Port Forward and/or Nat -> Outbound and/or Nat -> Virtual IPs? And do I also need to create any firewall rules?

    As you can tell I'm a newbie to this.

    Thanks again
    Dude



  • You could do web browsing and SSH-access easily with portforward but that doesn't support ICMP.
    I'm sorry to tell, that i don't have possibility to test 1:1 NAT



  • I've set up the following 1:1 rule, but I still can't ping, ssh or telnet port 80 on 177.12.107.5:

    Interface -> Wan
    External subnet IP -> 177.12.107.5
    Internal IP -> Type -> Single host
                      Address -> 192.168.1.220
    Destination -> Single host or alias
                    -> 192.168.1.220

    I have to say I'm surprised there are both "Internal IP" and "Destination" because they seem
    to be the same to me, ie the destination is an internal IP. I don't think I'm grasping the
    difference between the two.

    Should the external subnet IP be the IP address I'm trying to connect from or the pfsense
    WAN IP?

    The problem might be that there's a "/31" greyed out in the "Source" box. I can't seem to edit
    that.

    Best
    Dude



  • Have you created firewall rule on wan to allow that 1:1 to work?



  • Any gurus out there want to help me with this on an hourly basis? I can't afford the $600 and this should take an expert about 5 minutes to set up. I can pay by PayPal.

    It's only one SAN behind the firewall so can't be that diffciult to set up.

    pm me please.

    Best
    Dude



  • I don't think you can setup a 1:1 for the same IP as the FW. You can port forward certain ports. I would setup a VIP (IP Alias) on 177.12.170.6 (or what ever) and then use the 1:1 NAT to translate that to 192.168.1.220. Then go and create FW rules. If you only have the 1 IP, then don't use 1:1 but use port forward.


Locked