New to pfSense - Port Fowarding Issue - Any help would be great

neomanic

Hey guys,

OK this is my first post so I will try to include all required information ….

I have just installed pfSense on my old PC and I can't for the life of me get port forwarding working. I have spent hours on it, reading through the tutorials, reading forum posts, but unfortunately still can't get it working.

==============================================================================================================================

Network Hardware

1. Cable internet using a ISP Provided Netgear CG3000 (gutted with stupid ISP firmware)
2. pfSense Box with 3 NICs
3. Netgear GS724T 24 port gigabit switch
4. 5 port unmanaged switch to connect PCs upstairs that connects to the Netgear GS724T downstairs.
5. Workstations in the house

Very simple setup.

==============================================================================================================================

Network Config

Netgear CG3000 Router
IP:192.168.0.1
SN: 255.255.255.0

PfSense Box
WAN NIC: ale0
WAN IP: 192.168.0.10 (DHCP assigned from router)
WAN Gateway: 192.168.0.1 (router IP)
LAN NIC: em0
LAN IP: 192.168.2.254
LAN Gateway: no idea, not sure if i even need one?
LAN DHCP Server: 192.168.2.50 - 192.168.2.150
DHCP Reservations
192.168.2.190 - Workstation
192.168.2.191 - Workstation

Netgear GS724T Switch
IP: 192.168.2.250
SN: 255.255.255.0
DG: 192.168.2.254 (pfsense LAN interface)

Netgear 5 port switch upsatirs: no ip address, just dumb device i guess.

I run a cable from LAN1 port on the netgear CG3000 router to the WAN NIC (ale0) on the pfsense box.
I run a cable from the LAN NIC (em0) on the pfSense box to port 1 on the Netgear GS724T switch.
Ports 2,3,4 on the GS724T switch are connected to workstations downstairs.
Port 5 on the GS724T is running upstairs to the 5 port netgear switch, then workstations upstairs are connected into that.

Due to the gutted ISP firmware on the CG3000 router, it does not have any way to put it into bridge mode. However it does have a DMZ option.
I have enabled the DMZ option and pointed it to the WAN IP on the pfSense box (192.168.0.10).
I have no firewall rules set on the router, its basically accepting the internet and then going to the DMZ IP I have set.

It's my assumption that pointing the router to a DMZ, effectively turns the router into a modem, and all the firewall settings are done on the pfSense box?

==============================================================================================================================

Browsing the web works fine.

So for now all I'm trying to do is forward some ports to specific workstations on the LAN. But when I add the rules they never work. Also I cannot seem to ping anything from the router diagnostic's interface either. Not sure if this is due to the DMZ setting. The only IP I can ping from the router is it's own - 192.168.0.1

The firewall logs show the traffic going to the WAN IP 192.168.0.10 for the specific ports, but its getting blocked for some reason.

I'm struggling with this one so, any help would be greatly appreciated.

I couldn't attach all the screenshots in one post so I have done it in multiple

Please let me know if you need anymore information.

Cheers

Dan

![01 - Router DMZ.PNG](/public/imported_attachments/1/01 - Router DMZ.PNG)
![01 - Router DMZ.PNG_thumb](/public/imported_attachments/1/01 - Router DMZ.PNG_thumb)
![02 - Router - No firewall rules.PNG](/public/imported_attachments/1/02 - Router - No firewall rules.PNG)
![02 - Router - No firewall rules.PNG_thumb](/public/imported_attachments/1/02 - Router - No firewall rules.PNG_thumb)
![03 - router - no services enabled.PNG](/public/imported_attachments/1/03 - router - no services enabled.PNG)
![03 - router - no services enabled.PNG_thumb](/public/imported_attachments/1/03 - router - no services enabled.PNG_thumb)
![04 - router - lan settings.PNG](/public/imported_attachments/1/04 - router - lan settings.PNG)
![04 - router - lan settings.PNG_thumb](/public/imported_attachments/1/04 - router - lan settings.PNG_thumb)
![05 - pfsense - dashboard.PNG](/public/imported_attachments/1/05 - pfsense - dashboard.PNG)
![05 - pfsense - dashboard.PNG_thumb](/public/imported_attachments/1/05 - pfsense - dashboard.PNG_thumb)
![06 - pfsense - interfaces assignment.PNG](/public/imported_attachments/1/06 - pfsense - interfaces assignment.PNG)
![06 - pfsense - interfaces assignment.PNG_thumb](/public/imported_attachments/1/06 - pfsense - interfaces assignment.PNG_thumb)

neomanic

more screens…..

![07 - pfsense - WAN interface.PNG](/public/imported_attachments/1/07 - pfsense - WAN interface.PNG)
![07 - pfsense - WAN interface.PNG_thumb](/public/imported_attachments/1/07 - pfsense - WAN interface.PNG_thumb)
![08 - pfsense - LAN interface.PNG](/public/imported_attachments/1/08 - pfsense - LAN interface.PNG)
![08 - pfsense - LAN interface.PNG_thumb](/public/imported_attachments/1/08 - pfsense - LAN interface.PNG_thumb)
![09 - pfsesnse - NAT rules.PNG](/public/imported_attachments/1/09 - pfsesnse - NAT rules.PNG)
![09 - pfsesnse - NAT rules.PNG_thumb](/public/imported_attachments/1/09 - pfsesnse - NAT rules.PNG_thumb)
![10 - pfsesnse - firewall rules - LAN.PNG](/public/imported_attachments/1/10 - pfsesnse - firewall rules - LAN.PNG)
![10 - pfsesnse - firewall rules - LAN.PNG_thumb](/public/imported_attachments/1/10 - pfsesnse - firewall rules - LAN.PNG_thumb)

neomanic

last screens ….

![11 - pfsesnse - firewall rules - WAN.PNG](/public/imported_attachments/1/11 - pfsesnse - firewall rules - WAN.PNG)
![11 - pfsesnse - firewall rules - WAN.PNG_thumb](/public/imported_attachments/1/11 - pfsesnse - firewall rules - WAN.PNG_thumb)
![12 - pfsense - firewall logs - 45678.PNG](/public/imported_attachments/1/12 - pfsense - firewall logs - 45678.PNG)
![12 - pfsense - firewall logs - 45678.PNG_thumb](/public/imported_attachments/1/12 - pfsense - firewall logs - 45678.PNG_thumb)
![13 - pfsense - firewall logs - 45679.PNG](/public/imported_attachments/1/13 - pfsense - firewall logs - 45679.PNG)
![13 - pfsense - firewall logs - 45679.PNG_thumb](/public/imported_attachments/1/13 - pfsense - firewall logs - 45679.PNG_thumb)

johnpoz

Don't need to look very far to see what your problem is, See the first rule!! On your WAN! That is blocking ALL PRIVATE networks.. So yeah you can create a rule below it that allows. But your first rule says BLOCK, since its to a private IP. So no other rules are evaluated.

Your behind a double nat, so your wan it private ip - so you can not block private ip space.

neomanic

@johnpoz:

Don't need to look very far to see what your problem is, See the first rule!! On your WAN! That is blocking ALL PRIVATE networks.. So yeah you can create a rule below it that allows. But your first rule says BLOCK, since its to a private IP. So no other rules are evaluated.

Your behind a double nat, so your wan it private ip - so you can not block private ip space.

Hey johnpoz! ….. I have removed that rule and now my NAT rules are applying properly and the traffic is coming through ......

Thank you so much for responding and helping me out! :)

johnpoz

No problem dude - what I'm here for. Common issue really, I would suggest you look to moving to bridge mode on the device from your isp, or get a new device that can be set as just true modem.

Double nat is not a ideal setup, sure it can work - but it clearly is not ideal to be sure.

Have fun with pfsense - your going to love it!