Newbie - Trying to do a web forward



  • I am trying to add a NAT to get to a machine behind my firewall that is running on port 81.  I added the following rule:

    If WAN
    Proto TCP
    Src Addr: *
    Src Ports: *
    Dest Addr: *
    Dest Port: 81
    NAT IP: 192.168.2.250 (the IP of my web server)
    NAT Ports: 81

    This does not appear to be working.  My pfsense firewall has the IP of 192.168.1.23 on my WAN (it is behind my Verizon router currently while I test it).  When I ping this IP in the WAN I get no response.

    I went through the tutorials - unfortunately most of the port forwarding links I looked at refer to older versions and are not much help.  What am I doing wrong?  Thanks.


  • Netgate Administrator

    Assuming that is the port forwarding rule the destination address should be set to 'WAN addr'.
    You need to have the associated firewall rule box checked also.

    Steve



  • Thanks for the reply.  I made the changes.

    For the Port Forward Rule I have:

    If WAN
    Proto TCP
    Src Addr: *
    Src Ports: *
    Dest Addr: WAN Address
    Dest Port: 81
    NAT IP: 192.168.2.250 (the IP of my web server)
    NAT Ports: 81
    Filter Rule association: Selected the rule for this port

    The filter rule is as follows:

    Pass
    Interface WAN
    TCP/IP IPv4
    Protocol TCP
    Source ANY
    Destination 192.168.1.250/32
    Destination Port range from other, to other (this is grayed out so I can't change?

    So I try to open 192.168.1.23:81 on the WAN and I get nothing.  192.168.1.23 is the IP of my pfsense firewall.  Thanks.


  • Netgate Administrator

    Parts of the filter rule are greyed out because it's associated with the port forward rule. If you want to change the port you would do it there.

    The destination IP in the filter rule should be that of your server, 192.168.2.250. Is that a typo?

    I notice your WAN is in a private subnet, have you unchecked 'Block private networks' in Interfaces: WAN: ?

    Look in the firewall log to see if your attempt to access the server is being blocked.

    Steve



  • Does your web server respond to http request on 81 or 80? The default is 80. If the answer is 80 then in your NAT rule just change the destination address to 80. If the answer is yes my web server has been configured to accept http request on port 81 then you will need to address your web server from out side your network with something like the following: http://YourPublicIpAddress:81.

    If this were me I would make my server answer on port 80 in my lan so that way no one on your lan has to explicitly specify the port and then make a nat rule that allows http connections on port 81 externally.

    If WAN
    Proto TCP
    Src Addr: *
    Src Ports: *
    Dest Addr: *
    Dest Port: 81
    NAT IP: 192.168.2.250 (the IP of my web server)
    NAT Ports: 80
    
    

    One last thing, you didn't mention what operating system you are using for your webserver, I guess it doesn't matter but if there is a firewall on that webserver make sure it's configured to take request from outside it's subnet.



  • Thanks for all of the help.  The web server in question is actually a home automation server - so it sits on a non-standard port as I only want certain clients to access it.

    How do I determine the external IP for the pfsense firewall?  Is it the IP that shows in the WAN settings? That is showing 192.168.1.23 so I am trying to access the web interface through 192.168.1.23:81 in the 192.168.1.* subnet.

    I have my pfsense behind my router right now - so it is sitting on the 192.168.1.* subnet and then I have the LAN inside configured as 192.168.2.*.  I am doing this mostly for testing right now and will remove the router when all is completed.

    I looked at the firewall log and dont see any requests to 192.168.1.250 (the home automation server) so this appears that I am not hitting the server so my public IP must be wrong?

    I do notice that I am able to connect to logmein clients behind the firewall - how is that happening without a rule?


  • Netgate Administrator

    @simonmason:

    I do notice that I am able to connect to logmein clients behind the firewall - how is that happening without a rule?

    Probably the clients are connecting to a logmein server somewhere on the public internet and the software is able to relay traffic via that.

    Not seeing anything in the firewall logs is probably a good thing. That indicates it's not blocking any traffic. That still leaves the possibility that the port forward is wrong or that the server is responding correctly. Are there logs in the server you can look at? Is it trying to redirect to https perhaps? As mike suggested above, is the server allowed to respond to requests from outside its subnet?

    The WAN address is shown on the Dashboard or in Status: Interfaces:. How is the WAN address being obtained? DHCP from your router?

    Steve



  • The web server will accept outside of the subnet. It was working fine on the 192.168.1 net, accepting calls from outside the router before moving it into the 192.168.2 net.

    The web server shows no attempts to connect.

    Wan address is dhcp from router right now. I confirmed it is 192.168.1.23.

    On the wan setup in pfsense there are two checkboxes at the bottom about bogo and accepting requests in or out of subnet.  They are both checked - should they be off?

    It must be something with my rule?


  • Netgate Administrator

    @stephenw10:

    I notice your WAN is in a private subnet, have you unchecked 'Block private networks' in Interfaces: WAN: ?

    ;)

    Private networks must be unchecked since your WAN has a private IP address.

    Steve



  • You have a couple of problems:

    1. You are double natting so in order for a request to get to PfSense you will have to port forward 81 to your PfSense box and then the port forward that you setup on your PfSense box will work.

    2. You will need to know what your true public IP is, you can get this by going to http://www.ipchicken.com

    3. Like stephenw10 said you will have to tell PfSense not to block private IP since you have a private IP on your WAN interface. You can do this from the WAN interface just uncheck block private IPs.

    4. If you don't want to have to port forward two times you can just put your PfSense box in the dmz of your primary router, that will forward all unsolicited traffic to PfSense. PfSense will only allow the traffic that your port forward to ingress your firewall.

    As far as why logmein is working I suspect that your server is reporting it's IP as a 192.168.x.x which you can get to while you are on your LAN.



  • Thanks for all of the help - I now have it working.  I had turned off blocking of private IPs - but when I couldn't get the rule to work I had set it back thinking that might have been the issue!

    Next I need to get rid of the FIOS router.



  • Good luck on that one, in some areas it's mandatory.


Log in to reply