Allowing ping packets into LAN from WAN



  • hi there

    Hosts on the LAN side of pfsense have full access out of the network onto the WAN.
    I gather this is the default so that's working ok.

    I just need to know how I can create holes through pfsense from WAN to LAN so that
    hosts on the WAN can ping selected ports on hosts behind pfsense.

    Do I use NAT (port forward, 1:1 and/or Outbound) and what firewall rules (Floating,
    WAN and/or LAN) do I need to set up, if any. First off, to be able to ping LAN-side hosts
    behind pfsense would be great.

    Any help appreciated.

    Cheers
    Dude
    ps the diagram should say "vista pc1 cannot ping vista pc 2 or any host behind pfsense".


  • Rebel Alliance Global Moderator

    Why people do this is beyond me – why do you think you need a double nat like you have setup??

    Same way you forwarded 80 into pfsense, is how you would forward traffic through pfsense.  Simple NAT:port forward how you did it on your dhcp router.

    Pfsense makes more sense as your gateway, why not just remove the NAT that your modem/router is doing in the first place?



  • Hi Jon

    I have to NAT with the modem router because I employed a guy in the Ukraine to try and help me suss this.
    He needs access to the webconfigurator via the external WAN because there is no direct access to
    webconfigurator any other way.

    Please could you help with the NAT config? Say I use 1:1 , are these the fields I need to fill in:

    Interface: WAN
    External Subnet IP: 192.168.0.3  (I suspect I have entered this incorrectly and there's a greyed-out /31 which conflicts with the /24
    mask I'm using for this subnet)
    Internal IP: Single Host or Alias: 192.168.20.2
    Destination: Any

    I've tried this and I can't ping 192.168.20.2 from 192.168.0.3. Is my syntax incorrect or do I need an
    additional firewall rule?

    Best
    Dude


  • Netgate Administrator

    If you are using NAT of any kind you won't be able to ping 192.168.20.3 from 192.168.0.3. The pfSense box hides the 192.168.20.* subnet from the WAN side completely, that's what it's supposed to do, it's a firewall.  ;)

    To make this work you would have to disable NAT completely to make pfSense into a router and then add firewall rules on WAN to allow it. That is far more complex than the default setup!

    What are you hoping to achieve as the end result? It seems likely that you are going about it, or at least testing it, incorrectly.

    Steve



  • Hi Steve

    I'm trying to model a config we have in the DC. It has a XenServer behind pfsense on a 192.168.0.x IP. I want to open a small number of ports through pfsense to the XenServer so I can access it via XenCenter externally.

    My model is to help me learn pfsense. I'm blocking myself out regularly so at least at home I can access the LAN easily and remove the offending rule(s) :)

    If you could pass me a rule to open ICMP from WAN to LAN (from 192.168.0.3, initially anyway) then I can hopefully make some progress.

    Best
    Dude


  • Netgate Administrator

    Ah! Ok.
    So you need to access a specific machine on the LAN side rather than any machine LAN side.
    I'm assuming that your production pfSense has NAT enabled (the default configuration).
    Traditionally what you would do is this:
    Setup a port-forward from your WAN interface to your internal server.
    Add firewall rules to WAN to allow access on the forwarded port. pfSense can add the rule automatically if you want.
    You can then access your server from 'the internet' on your-pfSense-WAN-address: port whatever-you-chose.

    Using ICMP as a test is not great because you can't tell (easily) what machine has responded to your pings.

    Does that sound like what you need to do? I apologise if I've massively misjudged your skill level!

    Steve


  • Rebel Alliance Global Moderator

    Dude its a simple port forward..  What do you not get?

    By default pfsense will setup the wan rule to allow the traffic you forward.  Unless you remove the dropbox at the bottom of the forward that tells you its going to do that.

    You can not forward icmp –- forward the ports you NEED, or test with ssh or telnet or something.


  • Netgate Administrator

    @johnpoz:

    You can not forward icmp

    Good point. I had not thought that through!  ::)

    Steve



  • Ahh, very interesting Mr Bond…the NAT does indeed add a rule. Many thanks :)
    I'm bewildered however at the Port Forward screen.

    I choose:

    Interface: WAN
    Protocol: TCP/UDP
    Source: Single Host or Alias: 192.168.0.3  (why is "/31" showed greyed out when it conflicts with the /24 on the WAN?)
    Source Port range: 1 - 65000
    Destination: 192.168.20.2 (again the "/31" is greyed out and conflicts with both WAN and LAN subnets of /24 and /26)
    Destination port range: 1 - 65000
    Redirect Target IP: 192.168.20.2  (This is what puzzles me...isn't this the same as the "destination" above?)
    Redirect Target port: 1 (makes range 1 - 65000)

    I think I'm muddling the destination and redirect target IP ports...is "destination" the WAN side of pfsense? Eg 192.168.0.80?)

    Best
    Dude


  • Netgate Administrator

    Ok,
    The destination IP is used to match the portforward rule to incoming packets which will have the destination: your-WAN-IP. The redirect IP is the address of your internal server.

    /31 is within /24 it does not conflict with it. It refers to the mask size in bits.

    You should really only forward ports you need, 1-65000 is just going to introduce unknown difficulty.

    I would leave the source IP and port as 'any', at least until you have it working.

    See my attached rule as an example.

    Steve




  • Hi Steve

    That's sorted it :) Many thanks for your help and to the other contributors.

    Best
    Dude


Locked