Firewall vs NAT
-
this is one of those times that i wish firewall/nat were in the same forum, not sure where to post this.
i try to give as much detail as possible, i will do my best to keep this short.
the existing network had a dsl modem–---->linksys router with wifi. this router did it all, dhcp, dns, wifi. from there, it was 1 wired PC and a bunch of wifi PCs for customers/guests. this is where pfsense came into play.
pfsense sits between the DSL and the router. the router has DHCP disabled and ip changed form 192.168.10.1 to 192.168.10.2 and only does wifi.
pfsense is doing dns, dhcp, firewlal rules, etc...and is using 192.168.10.1
so far everything is running fine.
i wanted to create a rule to allow pfsense to be accessible from the web so i didnt have to remote into a network PC to make changes.
i followed those instructions and got it working.
http://doc.pfsense.org/index.php/How_can_I_access_the_webGUI_from_the_WAN%3F
here is where it gets a little tricky. the linksys router operates, by default, on port 80. all i have to do is type in 192.168.10.2 and it opens up to the linksys router on the LAN. the remote management port in the linksys router is set to 8080 by default and it is enabled, i have been accessing the linksys from the wan for a few years, so i know that feature/port is working. since the linksys WAS the only router on the network, prior to pfsense, i didnt have to port forward any ports in the linksys, it must do it on its own in the backend when you enable 8080, regardless, it worked. i had to open the ports on the linksys router to get the cameras to work over the network, on iphones and ipads, etc... i had no problems getting that working.
now that the linksys is just an AP, i disabled all of the rules on it (for the cameras) and created them on the pfsense under the NAT section which auto creates WAN rules.
i had no problem opening the port for pfsense on http 8080 (i know not recommended, but i want to get it working on 8080 and http, before i switch to https) aside from the DNS rebind error i was getting (now fixed, followed this http://doc.pfsense.org/index.php/DNS_Rebinding_Protections) that is working as expected. from my house i can connect to pfsense (located at another site) via the wan on port 8080, all is good.
since i am using 8080 on pfsense, i changed the 8080 in the linksys to 8181 (192.168.10.2) and created the same WAN rule as i did for pfsense. 8181 isnt working from home. i updated the rule and cleared the states, nothing...is it possible that the linksys router will not act like the pfsense box since it is sitting behind the pfsense box, making it a regular network device (like the cameras)?
i tried adding the linkys rule of 8181 as a NAT rule, but that didnt work.
- how do i get 8181 (the linksys router, no longer acting as a router) accessible via 8181 over the wan?
very strange that locally it doesnt need 192.168.10.2:8181. pfsense went from 192.168.10.1 to 192.168.10.1:8080 after i changed the rule, wondering how the linksys router can get around that?
-
the way i see it (just to make sure there is no confusion)
the linksys router (that has all the proper servies disabled), behind the pfsense box seems to have two ports open:
80, that i cant change
and 8080 for the management port, which i can toggle on or off.
edit- those are the defaults of the linksys router.
8080- is http for pfsense
8181- is what i changed the linksys to work on
-
create portforward rule to your pfsense
wan-ip:8181 -> 192.168.10.2:8080 -
create portforward rule to your pfsense
wan-ip:8181 -> 192.168.10.2:8080see my edit, my mistake for not including it in that post.
wan-ip:8181 -> 192.168.10.2:8181
i have tried this and it didnt work.
i cut out the other ports, but they look just like the one above, i just left them out to upload a smaller pic.
those are working, i am able to login to the cameras over the internet, off site.
-
As I saied earlier change your rule wan-ip:8181 -> 192.168.10.2:8080
-
As I saied earlier change your rule wan-ip:8181 -> 192.168.10.2:8080
can you explain this? the 8080 is throwing me off, the remote management port for the linksys router that sits behind the pfsense box is 8181
pfsense is 8080
not saying you are wrong, but i must be missing something because that doesnt make sense.
thanks.
-
Ok, let's try again.
wan-ip:8181 -> 192.168.10.2:management-port-of-this-device.if this is not working, then your linksys or what ever device is sitting behind pfsense is having wrong gateway information or wrong static route if it's more like cisco configuration
-
Ok, let's try again.
wan-ip:8181 -> 192.168.10.2:management-port-of-this-device.if this is not working, then your linksys or what ever device is sitting behind pfsense is having wrong gateway information or wrong static route if it's more like cisco configuration
on the linksys side, there is no spot for gateway.
i am only using the LAN ports on the linksys router.
the onyl ip i can change is the ip of the linksys unit.
as of right now, this is what it looks like
pfsense- 192.168.10.1:8080 (i can get into it, this is working)
linksys- 192.168.10.2:8181 for remote management, but locally (on the LAN) 192.168.10.2 works in the browser (locally it still runs on 80, i dont see a screen to change this).
camera computer- 192.168.10.10 has ports 81, 4550 and 5550 open so i can view cameras from the web (i can get into it, this is working)
i treated the linksys device the same as the camera computer and it doenst work, but like i said, something strange is going on because that device is operating on port 80 locally,
thanks for the help.
-
If your linksys works with http://192.168.10.2 internally, that means that your management port is 80.
–> so your portforward rule is wan-ip:8181 -- 192.168.10.2:80or whatever you like to use outside of lan.
-
Remote Router access on the Linksys only works for the WAN port.
Since your using only the LAN ports it doesn't matter if you have that checked or not.
When you access the Linksys from inside your network- what exactly do you put in your browser address window?
Is your DSL modem in bridge mode? (what are the WAN settings of your pfsense box?)
-
apparently i missed 1 part.
when i type in 192.168.10.2 on the LAN it automatically appends :8181 (see my screens above). which means the address i am using on the LAN is 192.168.10.2:8181
if the management port only works for the WAN side, then this certainly does make sense (on why i can get in) when i configure it the same as the camera computer on the network (which does work from the outside _).
only LAN ports are used on the linksys router (which is not acting as a router).
as far as the DSL coming in, i dont want to get off topic with that setup…the pfsense box is getting a public IP on the WAN NIC, all my other firewall rules work fine on the pfsense box. technically, my gateway from AT&T can't be put into bridge mode, but there is a way to get it to 'act' as if it is in bridge mode and that is what i am doing now. in the pfsense dashboard, the public IP appears on the WAN/Gateway NIC and if i type in my http://WAN IP:8080 i hit my pfsense box (however, i use a hostname because i have a dynamic IP).
thanks_
-
So your linksys is only a AP, and you changed its LAN IP to be 192.168.10.2 And when your on your lan you can access this no problem - lets forget the port for now.
And you want to be able to access this from outside your network (from the internet)? WTF??? Why would you need to do that?? If you do, then VPN into your network and then access it. I would never in a MILLION Years someone suggest they open their wireless networks AP gui to the public internet.
But if you insist then its going to need a GATEWAY on the lan settings – which I know you can do.. You just normally don't need to since there is little with access it from the same network - only if you have multiple lan segments would you need to do that. But the option is there. What is the model of your linksys so can call up the specific manual and show you. Now mine linksys wrt54g that I use as just an AP is running tomato.. But as you can see on the lan you can give it a gateway.
Again I would HIGHLY suggest you rethink opening up your AP web gui to the public internet with a port forward.. If you do that, I would hope your locking it down to the source IP you would be coming from. If you need to admin/access stuff on your network that are not services to the public like game server, ftp, etc. Then I would vpn into your network to do such work.
-
So your linksys is only a AP, and you changed its LAN IP to be 192.168.10.2 And when your on your lan you can access this no problem - lets forget the port for now.
And you want to be able to access this from outside your network (from the internet)? WTF??? Why would you need to do that?? If you do, then VPN into your network and then access it. I would never in a MILLION Years someone suggest they open their wireless networks AP gui to the public internet.
But if you insist then its going to need a GATEWAY on the lan settings – which I know you can do.. You just normally don't need to since there is little with access it from the same network - only if you have multiple lan segments would you need to do that. But the option is there. What is the model of your linksys so can call up the specific manual and show you. Now mine linksys wrt54g that I use as just an AP is running tomato.. But as you can see on the lan you can give it a gateway.
Again I would HIGHLY suggest you rethink opening up your AP web gui to the public internet with a port forward.. If you do that, I would hope your locking it down to the source IP you would be coming from. If you need to admin/access stuff on your network that are not services to the public like game server, ftp, etc. Then I would vpn into your network to do such work.
1. i want to figure out why i can port forward on it
2. technically i dont need it to be open to the internet, but as number 1 states, it is bugging me that i cant open it up while other devices (mainly the camera computer) works.mine doesnt have a spot for the gateway, i thought i attached that pic yesterday, i guess i forgot
here it is:
if i need the gateway since this isnt on the WAN side, then i guess i cant do it.
i just wanted to make sure it wasnt a firewall setting that i didnt configure properly.
thanks
-
If you can not set a gateway - then no its not going to be possible, unless you did a source nat on pfsense so that the linksys thought traffic was coming from same lan.
What linksys are you running, what firmware - does it support dd-wrt or tomato, other 3rd party because I am quite sure those would give the ability to set a gateway on your lan interface.
Again I would not suggest actually open it up to the public net - but the lack of gateway explains why your forward is not working.
linksys sees traffic from some public IP 24.13.a.b because you forward it in on pfsense – it has no gateway, so there is no possible way for it to send response to that traffic.
-
If you can not set a gateway - then no its not going to be possible, unless you did a source nat on pfsense so that the linksys thought traffic was coming from same lan.
What linksys are you running, what firmware - does it support dd-wrt or tomato, other 3rd party because I am quite sure those would give the ability to set a gateway on your lan interface.
Again I would not suggest actually open it up to the public net - but the lack of gateway explains why your forward is not working.
linksys sees traffic from some public IP 24.13.a.b because you forward it in on pfsense – it has no gateway, so there is no possible way for it to send response to that traffic.
ok, not worth it to add other firmware, for the little time i would need to get into the interface, i can create a VPN or use the existing logmein service i have on a computer on that network and access it that way.
i just wanted to make sure it wasnt something i was missing.
thanks
-
If you create a vpn into your network - the AP would still need a gateway, unless you did source natting so that connection looked like it was coming from pfsense IP on that lan. If it looks like its coming from the vpn tunnel network that the remote client would be on - then the AP would not be able to answer.
But sure if you remote a box inside the lan, then use that box to access the AP you would be fine.
As too not worth using 3rd party firmware - I think you would be pleasantly surprised at how well some 3rd party performs vs native. But if all your doing on the thing is AP then it might not make much a difference. But depending on your actual router your using model number - changing to 3rd party could be as easy as just upload the file via the gui and reboot.
-
If you create a vpn into your network - the AP would still need a gateway, unless you did source natting so that connection looked like it was coming from pfsense IP on that lan. If it looks like its coming from the vpn tunnel network that the remote client would be on - then the AP would not be able to answer.
But sure if you remote a box inside the lan, then use that box to access the AP you would be fine.
As too not worth using 3rd party firmware - I think you would be pleasantly surprised at how well some 3rd party performs vs native. But if all your doing on the thing is AP then it might not make much a difference. But depending on your actual router your using model number - changing to 3rd party could be as easy as just upload the file via the gui and reboot.
good point on the VPN, i didnt think about that.
i will stick to using the free logmein client on the computer on the network to login and change the AP settings.
it is doing 1 thing…wifi and a change is rarely needed. i looked into flashing it with 3rd part long ago and i forget why i didnt go through with it, i may try it down the road but it is one of those things...if it ain broke, dont fix it.
thanks
-
i'm a little confused… :(