Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Pfsense with double NAT

    Scheduled Pinned Locked Moved General pfSense Questions
    14 Posts 2 Posters 8.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P Offline
      punkme112
      last edited by

      All,

      I am having an issue getting this to work correctly.  I have that Xfinity Arris TG862 from Comcast that is a gateway modem.  Unfortunately it cannot be put into "bridged" mode.  What I have done so far is this:

      On Comcast Modem, my main IP is 10.0.0.1

      On Pfsense, may WAN IP is 10.0.0.3

      On Pfsense, I have setup a gateway of the 10.0.0.1 and added under the gateway section of my WAN IP.  With it like this, I am able to get internet on all of my computers with no issues.  My main issue, is I am trying to port forward one of my internal devices (it is an SSLVPN appliance) so I can esentially type in my link "remote.site.com:8000".  I have set port forwarding to allow port 8000 to translate to HTTPS, and I see it in my log as being blocked:

      Act Time                  If    Source           Destination         Proto
      block Nov 13 03:36:14 WAN 10.0.0.3:53232 192.168.1.6:443 TCP:S

      Does anybody have any suggestions so I can get this to work?  If any other info is needed, please let me know and I will post it.

      1 Reply Last reply Reply Quote 0
      • johnpozJ Offline
        johnpoz LAYER 8 Global Moderator
        last edited by

        Did you uncheck blocking private networks?

        Who says you can not put that into bridge mode?  This userguide sure looks like you can

        http://www.arrisi.com/support/documentation/user_guides/_docs/ARRIS_Router_Setup_Web_GUI_UG.pdf

        bridgemode.png
        bridgemode.png_thumb

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • P Offline
          punkme112
          last edited by

          That was Comcast that said this device cannot be put into bridging mode; I guess I can call them instead of doing online tech support and see what they can do. And I did see that screen shot actually.  The first thing I found on google about the arris I have was the PDF for the device  :).  As far as the blocking of private networks, I actually have that checked for my WAN.  I'll uncheck that and post my results.

          1 Reply Last reply Reply Quote 0
          • johnpozJ Offline
            johnpoz LAYER 8 Global Moderator
            last edited by

            If your blocking private

            10.0.0.3:53232

            Is your source and would be blocked would it not, since its private.

            But there should be NO reason why that device can not be just a modem.. Chatting with the IDIOTS with comcast are not going to be much help ;)

            Question for you - I have comcast, are they not charging you like $7 a month for that device?  Just buy your own and like a year you are paid up with cost and after is just saving money.  I bought my own couple years back SB6120 and have not had issue one with it.  Paid for itself twice already ;)

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • P Offline
              punkme112
              last edited by

              Since I unchecked the Block private networks, I don't get any block's in my log for the 10.0.0.3, but I am still unable to connect to my device over port 8000.  Comcast wise, I have to use theirs because I have phone from them as well :(.  So it sort of limits my choices at the moment.

              1 Reply Last reply Reply Quote 0
              • johnpozJ Offline
                johnpoz LAYER 8 Global Moderator
                last edited by

                Then you got your nat configured wrong.

                Did you not let the nat create your wan rule?

                Hmm this seems odd as well
                192.168.1.6:443 as dst on your wan interface?

                How did you forward through your TG862 via DMZ or did you setup a specific forward?

                Why are you using 8000?  Why not just 443, comcast does not block that - I use it to access openvpn on my pfsense.

                so you have to forward on TG862 to pfsense wan IP, 10.0.0.3 I believe you set it to be?  for whatever port you want.  Then on pfsense you need to forward that port to your inside box - assume the 192.168.1.6

                if your stuck doing nat because you have phone with them as well, then I would just put your pfsense wan IP in the DMZ of the thing and then you only will have to forward at pfsense for any future ports you want.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • P Offline
                  punkme112
                  last edited by

                  This is what I was thinking.  I have been out of the Pfsense usage for awhile (I switched to a Juniper SSG5, but it was giving me issues with gaming).  Anyways, since I did the unblock of private networks, I don't have any logs as I did in the first post.  For my arris, the only things I set on that, were in its DMZ, I put my firewalls WAN IP of 10.0.0.3, and I did the same in the arris' port forwarding settings as well using the 10.0.0.3 for that port 8000.  I know this sounds kind of cryptic, if you need any screenshots or anything, Ill be glad to post them.

                  1 Reply Last reply Reply Quote 0
                  • P Offline
                    punkme112
                    last edited by

                    Here is my NAT as it is now on the firewall:

                    nat.PNG
                    nat.PNG_thumb

                    1 Reply Last reply Reply Quote 0
                    • johnpozJ Offline
                      johnpoz LAYER 8 Global Moderator
                      last edited by

                      and where is your firewall wan rule that matches up with that?  And dest address should be your WAN address

                      here are my nats

                      wannat.png
                      wannat.png_thumb

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                      1 Reply Last reply Reply Quote 0
                      • johnpozJ Offline
                        johnpoz LAYER 8 Global Moderator
                        last edited by

                        Once you put the 10.0.0.3 in the DMZ you would not also forward ports on it.

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                        1 Reply Last reply Reply Quote 0
                        • P Offline
                          punkme112
                          last edited by

                          Here's the firewall rule:

                          nat2.PNG
                          nat2.PNG_thumb

                          1 Reply Last reply Reply Quote 0
                          • johnpozJ Offline
                            johnpoz LAYER 8 Global Moderator
                            last edited by

                            So put in your wan address as destination in your nat (this is default why did you change it to *), and verify your alias, why use alias for a private IP address?  Alias makes sense if you have a group or something, or something changes like a public fqdn that you don't have control over, etc..  But what do you have sslvpn pointing to?  Can it resolve it?  Do you have it as IP - why not just put in IP.

                            There was user back that had typo in his alias 192.163 vs 192.168 or something.

                            I would just put direct info in - this way you can see everything with one easy view of your rules vs having to look at your aliases, etc.

                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                            If you get confused: Listen to the Music Play
                            Please don't Chat/PM me for help, unless mod related
                            SG-4860 24.11 | Lab VMs 2.8, 24.11

                            1 Reply Last reply Reply Quote 0
                            • P Offline
                              punkme112
                              last edited by

                              I will give this a try.  As far as the NAT goes, when I am under the destination part, it has WAN address, but the field under it will not let me put anything in.  Should I just do single host or alias?  I appreciate the help!

                              1 Reply Last reply Reply Quote 0
                              • johnpozJ Offline
                                johnpoz LAYER 8 Global Moderator
                                last edited by

                                And how many hosts are you going to forward too?  Thats 1 right - so why do you need an alias?

                                Why do you need to put something under Wan Address - is that not going to be the destination IP??  What is normally your Public IP, or in your case 10.0.0.3 which your first router will be NAT inbound traffic to, since you put your pfsense wan IP in its DMZ.

                                No other forwards on your first router - just the DMZ setting is all that is needed.

                                An intelligent man is sometimes forced to be drunk to spend time with his fools
                                If you get confused: Listen to the Music Play
                                Please don't Chat/PM me for help, unless mod related
                                SG-4860 24.11 | Lab VMs 2.8, 24.11

                                1 Reply Last reply Reply Quote 0
                                • First post
                                  Last post
                                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.