Forwarding traffic from WAN to Webserver and FTP



  • Hey guys…
    I'm on the brink of launching and have a test site ready to go up.
    However i still haven't figured out how to route incoming traffic to my Web Server/FTP

    Can anyone give me a quick rundown on what has to be done ??
    Please keep in mind that I'm on v2.1

    Thanks..



  • @_Adrian_:

    However i still haven't figured out how to route incoming traffic to my Web Server/FTP

    Have you looked through the pfSense documentation pages? "port forward" is probably what you want. Port forward is also discussed in Chapter 7 of pfSense: The Definitive Guide



  • Done that and no luck… :/
    Hence why I'm here asking for help



  • @_Adrian_:

    Done that and no luck… :/
    Hence why I'm here asking for help

    Done what? You read Chapter 7  of the referenced book and couldn't follow it?
    You went to http://doc.pfsense.org and searched for port forward and followed the link to the article http://doc.pfsense.org/index.php/How_can_I_forward_ports_with_pfSense and couldn't follow it?

    Sorry, but I'll need a bit more information to work with than "no luck".



  • I used the port forwarding instruction from the "HOWTO" section
    Still every time when I go to my domain nothing is up :/



  • Also for some reason instead of getting the default IIS7 Welcome page i get the PF box login :/



  • @_Adrian_:

    Also for some reason instead of getting the default IIS7 Welcome page i get the PF box login :/

    1. Did you "apply" the rules after adding them?
    2. Did you reset firewall states after adding the rules (see Diagnostics -> States, click on the Reset States tab)?
    3. Do you get the same result when you access by IP address of the pfSense WAN interface and by hostname?
    4. Does this access attempt enter the pfSense box on the same interface as specified in your port forward rule? (If not, the port forward rule won't apply!)


  • Netgate Administrator

    Importantly; where are you testing from?

    Steve



  • @wallabybob:

    1. Did you "apply" the rules after adding them?
    2. Did you reset firewall states after adding the rules (see Diagnostics -> States, click on the Reset States tab)?
    3. Do you get the same result when you access by IP address of the pfSense WAN interface and by hostname?
    4. Does this access attempt enter the pfSense box on the same interface as specified in your port forward rule? (If not, the port forward rule won't apply!)

    Did it and still nothing…

    YAY...
    Steve's here :)

    Testing from inside my network but testing to see if my redirect works..
    The rules were added on the Server Interface with separate rule set for FTP and HTTP/HTTPS



  • With other distros, you have to override the default WEBGUI port if you want to use port 80… you can try that:

    System -> Advanced -> Admin Access tab then configure a different tcp port for the webgui.

    But also... there are other things in play... you should be testing from the outside, but if you are trying to connect to your external IP from the inside, you need to enable NAT reflection.  Secondly, is your DNS pointing to the correct IP?

    Other than that, your NAT:Port Forward should look like:

    WAN | TCP | * | * | WAN address | 80 (HTTP) | <webserver ip="">| 80 (HTTP) | description |

    Firewall Rule on WAN should be:

    TCP | * | * | <webserver ip="">| 80 (HTTP) | * | none |    | description |

    Lastly, check netstat and make sure your webserver is actually listening.</webserver></webserver>


  • Netgate Administrator

    @_Adrian_:

    YAY…
    Steve's here :)

    Ha! Thanks for the compliment but my money would be on Wallabybob every time.  :)

    I don't think I fully understand what you have done but…
    A common problem people have when setting up port forwarding is trying to test it from within their network (pfSense LAN side). This usually results in, what you are seeing, just reaching the pfSense webGUI often with a redirect security warning. You can turn on NAT reflection so that internal machines can access servers but that doesn't actually test the port forward. You need to test it from some remote location or via 3G etc.

    Steve



  • Thanks for the input guys :D
    Greatly appreciated!

    I'm waiting on 2 more servers to arrive ( NAS and AD/DNS )
    Seems like a lot but i will have to figure soon LOL

    Active directory will be needed for the servers to run clustering for R2…
    Hopefully pf's DNS will play nice with the DNS server running off from R2

    Anyways... ADHD kicking in again LOL
    I will follow the above instructions and see where it gets me :)

    Thanks again for the input guys!!



  • @marvosa:

    With other distros, you have to override the default WEBGUI port if you want to use port 80… you can try that:

    System -> Advanced -> Admin Access tab then configure a different tcp port for the webgui.

    What port do you guys suggest ??
    Tried 444 and locked myself out of the webGUI so i have to access the CLI and return to 443 or 80 untill i figure this out.

    @marvosa:

    But also… there are other things in play... you should be testing from the outside, but if you are trying to connect to your external IP from the inside, you need to enable NAT reflection.  Secondly, is your DNS pointing to the correct IP?

    Checked DynDNS Status on both Addresses and they are sync'd to my WAN IP

    @marvosa:

    Other than that, your NAT:Port Forward should look like:

    WAN | TCP | * | * | WAN address | 80 (HTTP) | <webserver ip="">| 80 (HTTP) | description |</webserver>

    WAN TCP * * SERVER1 address 80 - 443 192.1x.x.x 80 - 443 IIS1
    WAN TCP * * SERVER1 address 80 - 443 192.1x.x.x 80 - 443 IIS2

    @marvosa:

    Firewall Rule on WAN should be:

    TCP | * | * | <webserver ip="">| 80 (HTTP) | * | none |    | description |</webserver>

    IPv4 TCP * * 192.1x.x.x 80 - 443 * none  none

    @marvosa:

    Lastly, check netstat and make sure your webserver is actually listening.

    When navigating to the servers IP i get the IIS7 Welcome page so if its up on the LAN im sure its up behind the pfbox.

    @stephenw10:

    You can turn on NAT reflection so that internal machines can access servers but that doesn't actually test the port forward. You need to test it from some remote location or via 3G etc.

    Steve

    At first got the Pf login but then quicly realized that i have WIFI on, once i turned it off no go :/



  • No-IP domain is adrculda.hopto.org

    Can you guys ping it and see what you get ??

    Redirect is to WAN:8080



  • @_Adrian_:

    @marvosa:

    Other than that, your NAT:Port Forward should look like:

    WAN | TCP | * | * | WAN address | 80 (HTTP) | <webserver ip="">| 80 (HTTP) | description |</webserver>

    WAN TCP * * SERVER1 address 80 - 443 192.1x.x.x 80 - 443 IIS1
    WAN TCP * * SERVER1 address 80 - 443 192.1x.x.x 80 - 443 IIS2

    Why do you have two port forward rules? Since they have the same port range only one of them will be effective.

    What is "SERVER1 address"? Since you mentioned DynDNS I suspect your WAN interface has a dynamic address. If so, the port forward rule needs to specify Destination type=WAN address (not the CURRENT IP address of the WAN interface) so the rule's behaviour will track changes in the IP address of the WAN interface.

    @marvosa:

    Firewall Rule on WAN should be:

    TCP | * | * | <webserver ip="">| 80 (HTTP) | * | none |    | description |</webserver>

    IPv4 TCP * * 192.1x.x.x 80 - 443 * none  none

    @marvosa:

    Lastly, check netstat and make sure your webserver is actually listening.

    When navigating to the servers IP i get the IIS7 Welcome page so if its up on the LAN im sure its up behind the pfbox.

    @stephenw10:

    You can turn on NAT reflection so that internal machines can access servers but that doesn't actually test the port forward. You need to test it from some remote location or via 3G etc.

    Steve

    At first got the Pf login but then quicly realized that i have WIFI on, once i turned it off no go :/



  • @wallabybob:

    @_Adrian_:

    @marvosa:

    Other than that, your NAT:Port Forward should look like:

    WAN | TCP | * | * | WAN address | 80 (HTTP) | <webserver ip="">| 80 (HTTP) | description |</webserver>

    WAN TCP * * SERVER1 address 80 - 443 192.1x.x.x 80 - 443 IIS1
    WAN TCP * * SERVER1 address 80 - 443 192.1x.x.x 80 - 443 IIS2

    Why do you have two port forward rules? Since they have the same port range only one of them will be effective.

    What is "SERVER1 address"? Since you mentioned DynDNS I suspect your WAN interface has a dynamic address. If so, the port forward rule needs to specify Destination type=WAN address (not the CURRENT IP address of the WAN interface) so the rule's behaviour will track changes in the IP address of the WAN interface.

    Thanks wallabybob !!!
    Its working :D

    Had to do a couple changes…
    It didn't want to play nice so i went to a port 8080 redirect.
    With that being said...

    NAT :
    WAN | TCP | * | * |WAN address | 8080 | <webserver ip="">| 80 (HTTP) | SERVER1 ( Description )

    and created an rule for it that ended up looking like this:
    IPv4 | TCP | * | * | <webserver ip="">| 80 (HTTP) | * | none | NAT SERVER1 ( Description )

    Now when going to adrculda.hopto.org or adrculda.zapto.org gets redirected to my first IIS7 Server.

    Now i wonder if my provider offer multiple external IP's :P</webserver></webserver>


Locked