Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Allowing ping packets into LAN from WAN

    Scheduled Pinned Locked Moved Problems Installing or Upgrading pfSense Software
    11 Posts 3 Posters 20.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      BigLebowski
      last edited by

      hi there

      Hosts on the LAN side of pfsense have full access out of the network onto the WAN.
      I gather this is the default so that's working ok.

      I just need to know how I can create holes through pfsense from WAN to LAN so that
      hosts on the WAN can ping selected ports on hosts behind pfsense.

      Do I use NAT (port forward, 1:1 and/or Outbound) and what firewall rules (Floating,
      WAN and/or LAN) do I need to set up, if any. First off, to be able to ping LAN-side hosts
      behind pfsense would be great.

      Any help appreciated.

      Cheers
      Dude
      ps the diagram should say "vista pc1 cannot ping vista pc 2 or any host behind pfsense".
      test.jpg
      test.jpg_thumb

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        Why people do this is beyond me – why do you think you need a double nat like you have setup??

        Same way you forwarded 80 into pfsense, is how you would forward traffic through pfsense.  Simple NAT:port forward how you did it on your dhcp router.

        Pfsense makes more sense as your gateway, why not just remove the NAT that your modem/router is doing in the first place?

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • B
          BigLebowski
          last edited by

          Hi Jon

          I have to NAT with the modem router because I employed a guy in the Ukraine to try and help me suss this.
          He needs access to the webconfigurator via the external WAN because there is no direct access to
          webconfigurator any other way.

          Please could you help with the NAT config? Say I use 1:1 , are these the fields I need to fill in:

          Interface: WAN
          External Subnet IP: 192.168.0.3  (I suspect I have entered this incorrectly and there's a greyed-out /31 which conflicts with the /24
          mask I'm using for this subnet)
          Internal IP: Single Host or Alias: 192.168.20.2
          Destination: Any

          I've tried this and I can't ping 192.168.20.2 from 192.168.0.3. Is my syntax incorrect or do I need an
          additional firewall rule?

          Best
          Dude

          1 Reply Last reply Reply Quote 0
          • stephenw10S
            stephenw10 Netgate Administrator
            last edited by

            If you are using NAT of any kind you won't be able to ping 192.168.20.3 from 192.168.0.3. The pfSense box hides the 192.168.20.* subnet from the WAN side completely, that's what it's supposed to do, it's a firewall.  ;)

            To make this work you would have to disable NAT completely to make pfSense into a router and then add firewall rules on WAN to allow it. That is far more complex than the default setup!

            What are you hoping to achieve as the end result? It seems likely that you are going about it, or at least testing it, incorrectly.

            Steve

            1 Reply Last reply Reply Quote 0
            • B
              BigLebowski
              last edited by

              Hi Steve

              I'm trying to model a config we have in the DC. It has a XenServer behind pfsense on a 192.168.0.x IP. I want to open a small number of ports through pfsense to the XenServer so I can access it via XenCenter externally.

              My model is to help me learn pfsense. I'm blocking myself out regularly so at least at home I can access the LAN easily and remove the offending rule(s) :)

              If you could pass me a rule to open ICMP from WAN to LAN (from 192.168.0.3, initially anyway) then I can hopefully make some progress.

              Best
              Dude

              1 Reply Last reply Reply Quote 0
              • stephenw10S
                stephenw10 Netgate Administrator
                last edited by

                Ah! Ok.
                So you need to access a specific machine on the LAN side rather than any machine LAN side.
                I'm assuming that your production pfSense has NAT enabled (the default configuration).
                Traditionally what you would do is this:
                Setup a port-forward from your WAN interface to your internal server.
                Add firewall rules to WAN to allow access on the forwarded port. pfSense can add the rule automatically if you want.
                You can then access your server from 'the internet' on your-pfSense-WAN-address: port whatever-you-chose.

                Using ICMP as a test is not great because you can't tell (easily) what machine has responded to your pings.

                Does that sound like what you need to do? I apologise if I've massively misjudged your skill level!

                Steve

                1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator
                  last edited by

                  Dude its a simple port forward..  What do you not get?

                  By default pfsense will setup the wan rule to allow the traffic you forward.  Unless you remove the dropbox at the bottom of the forward that tells you its going to do that.

                  You can not forward icmp –- forward the ports you NEED, or test with ssh or telnet or something.

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  1 Reply Last reply Reply Quote 0
                  • stephenw10S
                    stephenw10 Netgate Administrator
                    last edited by

                    @johnpoz:

                    You can not forward icmp

                    Good point. I had not thought that through!  ::)

                    Steve

                    1 Reply Last reply Reply Quote 0
                    • B
                      BigLebowski
                      last edited by

                      Ahh, very interesting Mr Bond…the NAT does indeed add a rule. Many thanks :)
                      I'm bewildered however at the Port Forward screen.

                      I choose:

                      Interface: WAN
                      Protocol: TCP/UDP
                      Source: Single Host or Alias: 192.168.0.3  (why is "/31" showed greyed out when it conflicts with the /24 on the WAN?)
                      Source Port range: 1 - 65000
                      Destination: 192.168.20.2 (again the "/31" is greyed out and conflicts with both WAN and LAN subnets of /24 and /26)
                      Destination port range: 1 - 65000
                      Redirect Target IP: 192.168.20.2  (This is what puzzles me...isn't this the same as the "destination" above?)
                      Redirect Target port: 1 (makes range 1 - 65000)

                      I think I'm muddling the destination and redirect target IP ports...is "destination" the WAN side of pfsense? Eg 192.168.0.80?)

                      Best
                      Dude

                      1 Reply Last reply Reply Quote 0
                      • stephenw10S
                        stephenw10 Netgate Administrator
                        last edited by

                        Ok,
                        The destination IP is used to match the portforward rule to incoming packets which will have the destination: your-WAN-IP. The redirect IP is the address of your internal server.

                        /31 is within /24 it does not conflict with it. It refers to the mask size in bits.

                        You should really only forward ports you need, 1-65000 is just going to introduce unknown difficulty.

                        I would leave the source IP and port as 'any', at least until you have it working.

                        See my attached rule as an example.

                        Steve

                        portforward.jpg
                        portforward.jpg_thumb

                        1 Reply Last reply Reply Quote 0
                        • B
                          BigLebowski
                          last edited by

                          Hi Steve

                          That's sorted it :) Many thanks for your help and to the other contributors.

                          Best
                          Dude

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.