Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Pfsense with double NAT

    General pfSense Questions
    2
    14
    6078
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      punkme112 last edited by

      All,

      I am having an issue getting this to work correctly.  I have that Xfinity Arris TG862 from Comcast that is a gateway modem.  Unfortunately it cannot be put into "bridged" mode.  What I have done so far is this:

      On Comcast Modem, my main IP is 10.0.0.1

      On Pfsense, may WAN IP is 10.0.0.3

      On Pfsense, I have setup a gateway of the 10.0.0.1 and added under the gateway section of my WAN IP.  With it like this, I am able to get internet on all of my computers with no issues.  My main issue, is I am trying to port forward one of my internal devices (it is an SSLVPN appliance) so I can esentially type in my link "remote.site.com:8000".  I have set port forwarding to allow port 8000 to translate to HTTPS, and I see it in my log as being blocked:

      Act Time                  If    Source           Destination         Proto
      block Nov 13 03:36:14 WAN 10.0.0.3:53232 192.168.1.6:443 TCP:S

      Does anybody have any suggestions so I can get this to work?  If any other info is needed, please let me know and I will post it.

      1 Reply Last reply Reply Quote 0
      • johnpoz
        johnpoz LAYER 8 Global Moderator last edited by

        Did you uncheck blocking private networks?

        Who says you can not put that into bridge mode?  This userguide sure looks like you can

        http://www.arrisi.com/support/documentation/user_guides/_docs/ARRIS_Router_Setup_Web_GUI_UG.pdf


        1 Reply Last reply Reply Quote 0
        • P
          punkme112 last edited by

          That was Comcast that said this device cannot be put into bridging mode; I guess I can call them instead of doing online tech support and see what they can do. And I did see that screen shot actually.  The first thing I found on google about the arris I have was the PDF for the device  :).  As far as the blocking of private networks, I actually have that checked for my WAN.  I'll uncheck that and post my results.

          1 Reply Last reply Reply Quote 0
          • johnpoz
            johnpoz LAYER 8 Global Moderator last edited by

            If your blocking private

            10.0.0.3:53232

            Is your source and would be blocked would it not, since its private.

            But there should be NO reason why that device can not be just a modem.. Chatting with the IDIOTS with comcast are not going to be much help ;)

            Question for you - I have comcast, are they not charging you like $7 a month for that device?  Just buy your own and like a year you are paid up with cost and after is just saving money.  I bought my own couple years back SB6120 and have not had issue one with it.  Paid for itself twice already ;)

            1 Reply Last reply Reply Quote 0
            • P
              punkme112 last edited by

              Since I unchecked the Block private networks, I don't get any block's in my log for the 10.0.0.3, but I am still unable to connect to my device over port 8000.  Comcast wise, I have to use theirs because I have phone from them as well :(.  So it sort of limits my choices at the moment.

              1 Reply Last reply Reply Quote 0
              • johnpoz
                johnpoz LAYER 8 Global Moderator last edited by

                Then you got your nat configured wrong.

                Did you not let the nat create your wan rule?

                Hmm this seems odd as well
                192.168.1.6:443 as dst on your wan interface?

                How did you forward through your TG862 via DMZ or did you setup a specific forward?

                Why are you using 8000?  Why not just 443, comcast does not block that - I use it to access openvpn on my pfsense.

                so you have to forward on TG862 to pfsense wan IP, 10.0.0.3 I believe you set it to be?  for whatever port you want.  Then on pfsense you need to forward that port to your inside box - assume the 192.168.1.6

                if your stuck doing nat because you have phone with them as well, then I would just put your pfsense wan IP in the DMZ of the thing and then you only will have to forward at pfsense for any future ports you want.

                1 Reply Last reply Reply Quote 0
                • P
                  punkme112 last edited by

                  This is what I was thinking.  I have been out of the Pfsense usage for awhile (I switched to a Juniper SSG5, but it was giving me issues with gaming).  Anyways, since I did the unblock of private networks, I don't have any logs as I did in the first post.  For my arris, the only things I set on that, were in its DMZ, I put my firewalls WAN IP of 10.0.0.3, and I did the same in the arris' port forwarding settings as well using the 10.0.0.3 for that port 8000.  I know this sounds kind of cryptic, if you need any screenshots or anything, Ill be glad to post them.

                  1 Reply Last reply Reply Quote 0
                  • P
                    punkme112 last edited by

                    Here is my NAT as it is now on the firewall:


                    1 Reply Last reply Reply Quote 0
                    • johnpoz
                      johnpoz LAYER 8 Global Moderator last edited by

                      and where is your firewall wan rule that matches up with that?  And dest address should be your WAN address

                      here are my nats


                      1 Reply Last reply Reply Quote 0
                      • johnpoz
                        johnpoz LAYER 8 Global Moderator last edited by

                        Once you put the 10.0.0.3 in the DMZ you would not also forward ports on it.

                        1 Reply Last reply Reply Quote 0
                        • P
                          punkme112 last edited by

                          Here's the firewall rule:


                          1 Reply Last reply Reply Quote 0
                          • johnpoz
                            johnpoz LAYER 8 Global Moderator last edited by

                            So put in your wan address as destination in your nat (this is default why did you change it to *), and verify your alias, why use alias for a private IP address?  Alias makes sense if you have a group or something, or something changes like a public fqdn that you don't have control over, etc..  But what do you have sslvpn pointing to?  Can it resolve it?  Do you have it as IP - why not just put in IP.

                            There was user back that had typo in his alias 192.163 vs 192.168 or something.

                            I would just put direct info in - this way you can see everything with one easy view of your rules vs having to look at your aliases, etc.

                            1 Reply Last reply Reply Quote 0
                            • P
                              punkme112 last edited by

                              I will give this a try.  As far as the NAT goes, when I am under the destination part, it has WAN address, but the field under it will not let me put anything in.  Should I just do single host or alias?  I appreciate the help!

                              1 Reply Last reply Reply Quote 0
                              • johnpoz
                                johnpoz LAYER 8 Global Moderator last edited by

                                And how many hosts are you going to forward too?  Thats 1 right - so why do you need an alias?

                                Why do you need to put something under Wan Address - is that not going to be the destination IP??  What is normally your Public IP, or in your case 10.0.0.3 which your first router will be NAT inbound traffic to, since you put your pfsense wan IP in its DMZ.

                                No other forwards on your first router - just the DMZ setting is all that is needed.

                                1 Reply Last reply Reply Quote 0
                                • First post
                                  Last post

                                Products

                                • Platform Overview
                                • TNSR
                                • pfSense Plus
                                • Appliances

                                Services

                                • Training
                                • Professional Services

                                Support

                                • Subscription Plans
                                • Contact Support
                                • Product Lifecycle
                                • Documentation

                                News

                                • Media Coverage
                                • Press
                                • Events

                                Resources

                                • Blog
                                • FAQ
                                • Find a Partner
                                • Resource Library
                                • Security Information

                                Company

                                • About Us
                                • Careers
                                • Partners
                                • Contact Us
                                • Legal
                                Our Mission

                                We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                                Subscribe to our Newsletter

                                Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                                © 2021 Rubicon Communications, LLC | Privacy Policy