Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Newbie - Trying to do a web forward

    Scheduled Pinned Locked Moved Problems Installing or Upgrading pfSense Software
    12 Posts 3 Posters 2.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      simonmason
      last edited by

      I am trying to add a NAT to get to a machine behind my firewall that is running on port 81.  I added the following rule:

      If WAN
      Proto TCP
      Src Addr: *
      Src Ports: *
      Dest Addr: *
      Dest Port: 81
      NAT IP: 192.168.2.250 (the IP of my web server)
      NAT Ports: 81

      This does not appear to be working.  My pfsense firewall has the IP of 192.168.1.23 on my WAN (it is behind my Verizon router currently while I test it).  When I ping this IP in the WAN I get no response.

      I went through the tutorials - unfortunately most of the port forwarding links I looked at refer to older versions and are not much help.  What am I doing wrong?  Thanks.

      1 Reply Last reply Reply Quote 0
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by

        Assuming that is the port forwarding rule the destination address should be set to 'WAN addr'.
        You need to have the associated firewall rule box checked also.

        Steve

        1 Reply Last reply Reply Quote 0
        • S
          simonmason
          last edited by

          Thanks for the reply.  I made the changes.

          For the Port Forward Rule I have:

          If WAN
          Proto TCP
          Src Addr: *
          Src Ports: *
          Dest Addr: WAN Address
          Dest Port: 81
          NAT IP: 192.168.2.250 (the IP of my web server)
          NAT Ports: 81
          Filter Rule association: Selected the rule for this port

          The filter rule is as follows:

          Pass
          Interface WAN
          TCP/IP IPv4
          Protocol TCP
          Source ANY
          Destination 192.168.1.250/32
          Destination Port range from other, to other (this is grayed out so I can't change?

          So I try to open 192.168.1.23:81 on the WAN and I get nothing.  192.168.1.23 is the IP of my pfsense firewall.  Thanks.

          1 Reply Last reply Reply Quote 0
          • stephenw10S
            stephenw10 Netgate Administrator
            last edited by

            Parts of the filter rule are greyed out because it's associated with the port forward rule. If you want to change the port you would do it there.

            The destination IP in the filter rule should be that of your server, 192.168.2.250. Is that a typo?

            I notice your WAN is in a private subnet, have you unchecked 'Block private networks' in Interfaces: WAN: ?

            Look in the firewall log to see if your attempt to access the server is being blocked.

            Steve

            1 Reply Last reply Reply Quote 0
            • M
              mikeisfly
              last edited by

              Does your web server respond to http request on 81 or 80? The default is 80. If the answer is 80 then in your NAT rule just change the destination address to 80. If the answer is yes my web server has been configured to accept http request on port 81 then you will need to address your web server from out side your network with something like the following: http://YourPublicIpAddress:81.

              If this were me I would make my server answer on port 80 in my lan so that way no one on your lan has to explicitly specify the port and then make a nat rule that allows http connections on port 81 externally.

              If WAN
              Proto TCP
              Src Addr: *
              Src Ports: *
              Dest Addr: *
              Dest Port: 81
              NAT IP: 192.168.2.250 (the IP of my web server)
              NAT Ports: 80
              
              

              One last thing, you didn't mention what operating system you are using for your webserver, I guess it doesn't matter but if there is a firewall on that webserver make sure it's configured to take request from outside it's subnet.

              1 Reply Last reply Reply Quote 0
              • S
                simonmason
                last edited by

                Thanks for all of the help.  The web server in question is actually a home automation server - so it sits on a non-standard port as I only want certain clients to access it.

                How do I determine the external IP for the pfsense firewall?  Is it the IP that shows in the WAN settings? That is showing 192.168.1.23 so I am trying to access the web interface through 192.168.1.23:81 in the 192.168.1.* subnet.

                I have my pfsense behind my router right now - so it is sitting on the 192.168.1.* subnet and then I have the LAN inside configured as 192.168.2.*.  I am doing this mostly for testing right now and will remove the router when all is completed.

                I looked at the firewall log and dont see any requests to 192.168.1.250 (the home automation server) so this appears that I am not hitting the server so my public IP must be wrong?

                I do notice that I am able to connect to logmein clients behind the firewall - how is that happening without a rule?

                1 Reply Last reply Reply Quote 0
                • stephenw10S
                  stephenw10 Netgate Administrator
                  last edited by

                  @simonmason:

                  I do notice that I am able to connect to logmein clients behind the firewall - how is that happening without a rule?

                  Probably the clients are connecting to a logmein server somewhere on the public internet and the software is able to relay traffic via that.

                  Not seeing anything in the firewall logs is probably a good thing. That indicates it's not blocking any traffic. That still leaves the possibility that the port forward is wrong or that the server is responding correctly. Are there logs in the server you can look at? Is it trying to redirect to https perhaps? As mike suggested above, is the server allowed to respond to requests from outside its subnet?

                  The WAN address is shown on the Dashboard or in Status: Interfaces:. How is the WAN address being obtained? DHCP from your router?

                  Steve

                  1 Reply Last reply Reply Quote 0
                  • S
                    simonmason
                    last edited by

                    The web server will accept outside of the subnet. It was working fine on the 192.168.1 net, accepting calls from outside the router before moving it into the 192.168.2 net.

                    The web server shows no attempts to connect.

                    Wan address is dhcp from router right now. I confirmed it is 192.168.1.23.

                    On the wan setup in pfsense there are two checkboxes at the bottom about bogo and accepting requests in or out of subnet.  They are both checked - should they be off?

                    It must be something with my rule?

                    1 Reply Last reply Reply Quote 0
                    • stephenw10S
                      stephenw10 Netgate Administrator
                      last edited by

                      @stephenw10:

                      I notice your WAN is in a private subnet, have you unchecked 'Block private networks' in Interfaces: WAN: ?

                      ;)

                      Private networks must be unchecked since your WAN has a private IP address.

                      Steve

                      1 Reply Last reply Reply Quote 0
                      • M
                        mikeisfly
                        last edited by

                        You have a couple of problems:

                        1. You are double natting so in order for a request to get to PfSense you will have to port forward 81 to your PfSense box and then the port forward that you setup on your PfSense box will work.

                        2. You will need to know what your true public IP is, you can get this by going to http://www.ipchicken.com

                        3. Like stephenw10 said you will have to tell PfSense not to block private IP since you have a private IP on your WAN interface. You can do this from the WAN interface just uncheck block private IPs.

                        4. If you don't want to have to port forward two times you can just put your PfSense box in the dmz of your primary router, that will forward all unsolicited traffic to PfSense. PfSense will only allow the traffic that your port forward to ingress your firewall.

                        As far as why logmein is working I suspect that your server is reporting it's IP as a 192.168.x.x which you can get to while you are on your LAN.

                        1 Reply Last reply Reply Quote 0
                        • S
                          simonmason
                          last edited by

                          Thanks for all of the help - I now have it working.  I had turned off blocking of private IPs - but when I couldn't get the rule to work I had set it back thinking that might have been the issue!

                          Next I need to get rid of the FIOS router.

                          1 Reply Last reply Reply Quote 0
                          • M
                            mikeisfly
                            last edited by

                            Good luck on that one, in some areas it's mandatory.

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.