Firewall vs NAT
-
create portforward rule to your pfsense
wan-ip:8181 -> 192.168.10.2:8080 -
create portforward rule to your pfsense
wan-ip:8181 -> 192.168.10.2:8080see my edit, my mistake for not including it in that post.
wan-ip:8181 -> 192.168.10.2:8181
i have tried this and it didnt work.
i cut out the other ports, but they look just like the one above, i just left them out to upload a smaller pic.
those are working, i am able to login to the cameras over the internet, off site.
-
As I saied earlier change your rule wan-ip:8181 -> 192.168.10.2:8080
-
As I saied earlier change your rule wan-ip:8181 -> 192.168.10.2:8080
can you explain this? the 8080 is throwing me off, the remote management port for the linksys router that sits behind the pfsense box is 8181
pfsense is 8080
not saying you are wrong, but i must be missing something because that doesnt make sense.
thanks.
-
Ok, let's try again.
wan-ip:8181 -> 192.168.10.2:management-port-of-this-device.if this is not working, then your linksys or what ever device is sitting behind pfsense is having wrong gateway information or wrong static route if it's more like cisco configuration
-
Ok, let's try again.
wan-ip:8181 -> 192.168.10.2:management-port-of-this-device.if this is not working, then your linksys or what ever device is sitting behind pfsense is having wrong gateway information or wrong static route if it's more like cisco configuration
on the linksys side, there is no spot for gateway.
i am only using the LAN ports on the linksys router.
the onyl ip i can change is the ip of the linksys unit.
as of right now, this is what it looks like
pfsense- 192.168.10.1:8080 (i can get into it, this is working)
linksys- 192.168.10.2:8181 for remote management, but locally (on the LAN) 192.168.10.2 works in the browser (locally it still runs on 80, i dont see a screen to change this).
camera computer- 192.168.10.10 has ports 81, 4550 and 5550 open so i can view cameras from the web (i can get into it, this is working)
i treated the linksys device the same as the camera computer and it doenst work, but like i said, something strange is going on because that device is operating on port 80 locally,
thanks for the help.
-
If your linksys works with http://192.168.10.2 internally, that means that your management port is 80.
–> so your portforward rule is wan-ip:8181 -- 192.168.10.2:80or whatever you like to use outside of lan.
-
Remote Router access on the Linksys only works for the WAN port.
Since your using only the LAN ports it doesn't matter if you have that checked or not.
When you access the Linksys from inside your network- what exactly do you put in your browser address window?
Is your DSL modem in bridge mode? (what are the WAN settings of your pfsense box?)
-
apparently i missed 1 part.
when i type in 192.168.10.2 on the LAN it automatically appends :8181 (see my screens above). which means the address i am using on the LAN is 192.168.10.2:8181
if the management port only works for the WAN side, then this certainly does make sense (on why i can get in) when i configure it the same as the camera computer on the network (which does work from the outside _).
only LAN ports are used on the linksys router (which is not acting as a router).
as far as the DSL coming in, i dont want to get off topic with that setup…the pfsense box is getting a public IP on the WAN NIC, all my other firewall rules work fine on the pfsense box. technically, my gateway from AT&T can't be put into bridge mode, but there is a way to get it to 'act' as if it is in bridge mode and that is what i am doing now. in the pfsense dashboard, the public IP appears on the WAN/Gateway NIC and if i type in my http://WAN IP:8080 i hit my pfsense box (however, i use a hostname because i have a dynamic IP).
thanks_
-
So your linksys is only a AP, and you changed its LAN IP to be 192.168.10.2 And when your on your lan you can access this no problem - lets forget the port for now.
And you want to be able to access this from outside your network (from the internet)? WTF??? Why would you need to do that?? If you do, then VPN into your network and then access it. I would never in a MILLION Years someone suggest they open their wireless networks AP gui to the public internet.
But if you insist then its going to need a GATEWAY on the lan settings – which I know you can do.. You just normally don't need to since there is little with access it from the same network - only if you have multiple lan segments would you need to do that. But the option is there. What is the model of your linksys so can call up the specific manual and show you. Now mine linksys wrt54g that I use as just an AP is running tomato.. But as you can see on the lan you can give it a gateway.
Again I would HIGHLY suggest you rethink opening up your AP web gui to the public internet with a port forward.. If you do that, I would hope your locking it down to the source IP you would be coming from. If you need to admin/access stuff on your network that are not services to the public like game server, ftp, etc. Then I would vpn into your network to do such work.
-
So your linksys is only a AP, and you changed its LAN IP to be 192.168.10.2 And when your on your lan you can access this no problem - lets forget the port for now.
And you want to be able to access this from outside your network (from the internet)? WTF??? Why would you need to do that?? If you do, then VPN into your network and then access it. I would never in a MILLION Years someone suggest they open their wireless networks AP gui to the public internet.
But if you insist then its going to need a GATEWAY on the lan settings – which I know you can do.. You just normally don't need to since there is little with access it from the same network - only if you have multiple lan segments would you need to do that. But the option is there. What is the model of your linksys so can call up the specific manual and show you. Now mine linksys wrt54g that I use as just an AP is running tomato.. But as you can see on the lan you can give it a gateway.
Again I would HIGHLY suggest you rethink opening up your AP web gui to the public internet with a port forward.. If you do that, I would hope your locking it down to the source IP you would be coming from. If you need to admin/access stuff on your network that are not services to the public like game server, ftp, etc. Then I would vpn into your network to do such work.
1. i want to figure out why i can port forward on it
2. technically i dont need it to be open to the internet, but as number 1 states, it is bugging me that i cant open it up while other devices (mainly the camera computer) works.mine doesnt have a spot for the gateway, i thought i attached that pic yesterday, i guess i forgot
here it is:
if i need the gateway since this isnt on the WAN side, then i guess i cant do it.
i just wanted to make sure it wasnt a firewall setting that i didnt configure properly.
thanks
-
If you can not set a gateway - then no its not going to be possible, unless you did a source nat on pfsense so that the linksys thought traffic was coming from same lan.
What linksys are you running, what firmware - does it support dd-wrt or tomato, other 3rd party because I am quite sure those would give the ability to set a gateway on your lan interface.
Again I would not suggest actually open it up to the public net - but the lack of gateway explains why your forward is not working.
linksys sees traffic from some public IP 24.13.a.b because you forward it in on pfsense – it has no gateway, so there is no possible way for it to send response to that traffic.
-
If you can not set a gateway - then no its not going to be possible, unless you did a source nat on pfsense so that the linksys thought traffic was coming from same lan.
What linksys are you running, what firmware - does it support dd-wrt or tomato, other 3rd party because I am quite sure those would give the ability to set a gateway on your lan interface.
Again I would not suggest actually open it up to the public net - but the lack of gateway explains why your forward is not working.
linksys sees traffic from some public IP 24.13.a.b because you forward it in on pfsense – it has no gateway, so there is no possible way for it to send response to that traffic.
ok, not worth it to add other firmware, for the little time i would need to get into the interface, i can create a VPN or use the existing logmein service i have on a computer on that network and access it that way.
i just wanted to make sure it wasnt something i was missing.
thanks
-
If you create a vpn into your network - the AP would still need a gateway, unless you did source natting so that connection looked like it was coming from pfsense IP on that lan. If it looks like its coming from the vpn tunnel network that the remote client would be on - then the AP would not be able to answer.
But sure if you remote a box inside the lan, then use that box to access the AP you would be fine.
As too not worth using 3rd party firmware - I think you would be pleasantly surprised at how well some 3rd party performs vs native. But if all your doing on the thing is AP then it might not make much a difference. But depending on your actual router your using model number - changing to 3rd party could be as easy as just upload the file via the gui and reboot.
-
If you create a vpn into your network - the AP would still need a gateway, unless you did source natting so that connection looked like it was coming from pfsense IP on that lan. If it looks like its coming from the vpn tunnel network that the remote client would be on - then the AP would not be able to answer.
But sure if you remote a box inside the lan, then use that box to access the AP you would be fine.
As too not worth using 3rd party firmware - I think you would be pleasantly surprised at how well some 3rd party performs vs native. But if all your doing on the thing is AP then it might not make much a difference. But depending on your actual router your using model number - changing to 3rd party could be as easy as just upload the file via the gui and reboot.
good point on the VPN, i didnt think about that.
i will stick to using the free logmein client on the computer on the network to login and change the AP settings.
it is doing 1 thing…wifi and a change is rarely needed. i looked into flashing it with 3rd part long ago and i forget why i didnt go through with it, i may try it down the road but it is one of those things...if it ain broke, dont fix it.
thanks
-
i'm a little confused… :(
