Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Firewall vs NAT

    Scheduled Pinned Locked Moved Firewalling
    18 Posts 5 Posters 6.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      Metu69salemi
      last edited by

      create portforward rule to your pfsense
      wan-ip:8181 -> 192.168.10.2:8080

      1 Reply Last reply Reply Quote 0
      • ?
        A Former User
        last edited by

        @Metu69salemi:

        create portforward rule to your pfsense
        wan-ip:8181 -> 192.168.10.2:8080

        see my edit, my mistake for not including it in that post.

        wan-ip:8181 -> 192.168.10.2:8181

        i have tried this and it didnt work.

        i cut out the other ports, but they look just like the one above, i just left them out to upload a smaller pic.

        those are working, i am able to login to the cameras over the internet, off site.

        1 Reply Last reply Reply Quote 0
        • M
          Metu69salemi
          last edited by

          As I saied earlier change your rule wan-ip:8181 -> 192.168.10.2:8080

          1 Reply Last reply Reply Quote 0
          • ?
            A Former User
            last edited by

            @Metu69salemi:

            As I saied earlier change your rule wan-ip:8181 -> 192.168.10.2:8080

            can you explain this?  the 8080 is throwing me off, the remote management port for the linksys router that sits behind the pfsense box is 8181

            pfsense is 8080

            not saying you are wrong, but i must be missing something because that doesnt make sense.

            thanks.

            1 Reply Last reply Reply Quote 0
            • M
              Metu69salemi
              last edited by

              Ok, let's try again.
              wan-ip:8181 -> 192.168.10.2:management-port-of-this-device.

              if this is not working, then your linksys or what ever device is sitting behind pfsense is having wrong gateway information or wrong static route if it's more like cisco configuration

              1 Reply Last reply Reply Quote 0
              • ?
                A Former User
                last edited by

                @Metu69salemi:

                Ok, let's try again.
                wan-ip:8181 -> 192.168.10.2:management-port-of-this-device.

                if this is not working, then your linksys or what ever device is sitting behind pfsense is having wrong gateway information or wrong static route if it's more like cisco configuration

                on the linksys side, there is no spot for gateway.

                i am only using the LAN ports on the linksys router.

                the onyl ip i can change is the ip of the linksys unit.

                as of right now, this is what it looks like

                pfsense- 192.168.10.1:8080 (i can get into it, this is working)

                linksys- 192.168.10.2:8181 for remote management, but locally (on the LAN) 192.168.10.2 works in the browser (locally it still runs on 80, i dont see a screen to change this).

                camera computer- 192.168.10.10 has ports 81, 4550 and 5550 open so i can view cameras from the web (i can get into it, this is working)

                i treated the linksys device the same as the camera computer and it doenst work, but like i said, something strange is going on because that device is operating on port 80 locally,

                thanks for the help.

                1 Reply Last reply Reply Quote 0
                • M
                  Metu69salemi
                  last edited by

                  If your linksys works with http://192.168.10.2 internally, that means that your management port is 80.
                  –> so your portforward rule is wan-ip:8181 -- 192.168.10.2:80

                  or whatever you like to use outside of lan.

                  1 Reply Last reply Reply Quote 0
                  • chpalmerC
                    chpalmer
                    last edited by

                    Remote Router access on the Linksys only works for the WAN port.

                    Since your using only the LAN ports it doesn't matter if you have that checked or not.

                    When you access the Linksys from inside your network- what exactly do you put in your browser address window?

                    Is your DSL modem in bridge mode?  (what are the WAN settings of your pfsense box?)

                    Triggering snowflakes one by one..
                    Intel(R) Core(TM) i5-4590T CPU @ 2.00GHz on an M400 WG box.

                    1 Reply Last reply Reply Quote 0
                    • ?
                      A Former User
                      last edited by

                      apparently i missed 1 part.

                      when i type in 192.168.10.2 on the LAN it automatically appends :8181 (see my screens above).  which means the address i am using on the LAN is 192.168.10.2:8181

                      if the management port only works for the WAN side, then this certainly does make sense (on why i can get in) when i configure it the same as the camera computer on the network (which does work from the outside _).

                      only LAN ports are used on the linksys router (which is not acting as a router).

                      as far as the DSL coming in, i dont want to get off topic with that setup…the pfsense box is getting a public IP on the WAN NIC, all my other firewall rules work fine on the pfsense box.  technically, my gateway from AT&T can't be put into bridge mode, but there is a way to get it to 'act' as if it is in bridge mode and that is what i am doing now.  in the pfsense dashboard, the public IP appears on the WAN/Gateway NIC and if i type in my http://WAN IP:8080 i hit my pfsense box (however, i use a hostname because i have a dynamic IP).

                      thanks_

                      1 Reply Last reply Reply Quote 0
                      • johnpozJ
                        johnpoz LAYER 8 Global Moderator
                        last edited by

                        So your linksys is only a AP, and you changed its LAN IP to be 192.168.10.2  And when your on your lan you can access this no problem - lets forget the port for now.

                        And you want to be able to access this from outside your network (from the internet)?  WTF???  Why would you need to do that??  If you do, then VPN into your network and then access it.  I would never in a MILLION Years someone suggest they open their wireless networks AP gui to the public internet.

                        But if you insist then its going to need a GATEWAY on the lan settings – which I know you can do..  You just normally don't need to since there is little with access it from the same network - only if you have multiple lan segments would you need to do that.  But the option is there.  What is the model of your linksys so can call up the specific manual and show you.  Now mine linksys wrt54g that I use as just an AP is running tomato..  But as you can see on the lan you can give it a gateway.

                        Again I would HIGHLY suggest you rethink opening up your AP web gui to the public internet with a port forward..  If you do that, I would hope your locking it down to the source IP you would be coming from.  If you need to admin/access stuff on your network that are not services to the public like game server, ftp, etc.  Then I would vpn into your network to do such work.

                        defaultgateway.png
                        defaultgateway.png_thumb

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                        1 Reply Last reply Reply Quote 0
                        • ?
                          A Former User
                          last edited by

                          @johnpoz:

                          So your linksys is only a AP, and you changed its LAN IP to be 192.168.10.2  And when your on your lan you can access this no problem - lets forget the port for now.

                          And you want to be able to access this from outside your network (from the internet)?  WTF???  Why would you need to do that??  If you do, then VPN into your network and then access it.  I would never in a MILLION Years someone suggest they open their wireless networks AP gui to the public internet.

                          But if you insist then its going to need a GATEWAY on the lan settings – which I know you can do..  You just normally don't need to since there is little with access it from the same network - only if you have multiple lan segments would you need to do that.  But the option is there.  What is the model of your linksys so can call up the specific manual and show you.  Now mine linksys wrt54g that I use as just an AP is running tomato..  But as you can see on the lan you can give it a gateway.

                          Again I would HIGHLY suggest you rethink opening up your AP web gui to the public internet with a port forward..  If you do that, I would hope your locking it down to the source IP you would be coming from.  If you need to admin/access stuff on your network that are not services to the public like game server, ftp, etc.  Then I would vpn into your network to do such work.

                          1. i want to figure out why i can port forward on it
                          2. technically i dont need it to be open to the internet, but as number 1 states, it is bugging me that i cant open it up while other devices (mainly the camera computer) works.

                          mine doesnt have a spot for the gateway, i thought i attached that pic yesterday, i guess i forgot

                          here it is:

                          if i need the gateway since this isnt on the WAN side, then i guess i cant do it.

                          i just wanted to make sure it wasnt a firewall setting that i didnt configure properly.

                          thanks

                          1 Reply Last reply Reply Quote 0
                          • johnpozJ
                            johnpoz LAYER 8 Global Moderator
                            last edited by

                            If you can not set a gateway - then no its not going to be possible, unless you did a source nat on pfsense so that the linksys thought traffic was coming from same lan.

                            What linksys are you running, what firmware - does it support dd-wrt or tomato, other 3rd party because I am quite sure those would give the ability to set a gateway on your lan interface.

                            Again I would not suggest actually open it up to the public net - but the lack of gateway explains why your forward is not working.

                            linksys sees traffic from some public IP 24.13.a.b because you forward it in on pfsense – it has no gateway, so there is no possible way for it to send response to that traffic.

                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                            If you get confused: Listen to the Music Play
                            Please don't Chat/PM me for help, unless mod related
                            SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                            1 Reply Last reply Reply Quote 0
                            • ?
                              A Former User
                              last edited by

                              @johnpoz:

                              If you can not set a gateway - then no its not going to be possible, unless you did a source nat on pfsense so that the linksys thought traffic was coming from same lan.

                              What linksys are you running, what firmware - does it support dd-wrt or tomato, other 3rd party because I am quite sure those would give the ability to set a gateway on your lan interface.

                              Again I would not suggest actually open it up to the public net - but the lack of gateway explains why your forward is not working.

                              linksys sees traffic from some public IP 24.13.a.b because you forward it in on pfsense – it has no gateway, so there is no possible way for it to send response to that traffic.

                              ok, not worth it to add other firmware, for the little time i would need to get into the interface, i can create a VPN or use the existing logmein service i have on a computer on that network and access it that way.

                              i just wanted to make sure it wasnt something i was missing.

                              thanks

                              1 Reply Last reply Reply Quote 0
                              • johnpozJ
                                johnpoz LAYER 8 Global Moderator
                                last edited by

                                If you create a vpn into your network - the AP would still need a gateway, unless you did source natting so that connection looked like it was coming from pfsense IP on that lan.  If it looks like its coming from the vpn tunnel network that the remote client would be on - then the AP would not be able to answer.

                                But sure if you remote a box inside the lan, then use that box to access the AP you would be fine.

                                As too not worth using 3rd party firmware - I think you would be pleasantly surprised at how well some 3rd party performs vs native.  But if all your doing on the thing is AP then it might not make much a difference.  But depending on your actual router your using model number - changing to 3rd party could be as easy as just upload the file via the gui and reboot.

                                An intelligent man is sometimes forced to be drunk to spend time with his fools
                                If you get confused: Listen to the Music Play
                                Please don't Chat/PM me for help, unless mod related
                                SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                                1 Reply Last reply Reply Quote 0
                                • ?
                                  A Former User
                                  last edited by

                                  @johnpoz:

                                  If you create a vpn into your network - the AP would still need a gateway, unless you did source natting so that connection looked like it was coming from pfsense IP on that lan.  If it looks like its coming from the vpn tunnel network that the remote client would be on - then the AP would not be able to answer.

                                  But sure if you remote a box inside the lan, then use that box to access the AP you would be fine.

                                  As too not worth using 3rd party firmware - I think you would be pleasantly surprised at how well some 3rd party performs vs native.  But if all your doing on the thing is AP then it might not make much a difference.  But depending on your actual router your using model number - changing to 3rd party could be as easy as just upload the file via the gui and reboot.

                                  good point on the VPN, i didnt think about that.

                                  i will stick to using the free logmein client on the computer on the network to login and change the AP settings.

                                  it is doing 1 thing…wifi and a change is rarely needed.  i looked into flashing it with 3rd part long ago and i forget why i didnt go through with it, i may try it down the road but it is one of those things...if it ain broke, dont fix it.

                                  thanks

                                  1 Reply Last reply Reply Quote 0
                                  • P
                                    powerranger520
                                    last edited by

                                    i'm a little confused… :(

                                    1 Reply Last reply Reply Quote 0
                                    • First post
                                      Last post
                                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.