Newbie question, new install, port forwarding not working



  • Hello there:

    Reinstalled Pfsense from scratch and started over a few times, still cannot seem to get port forwarding working.

    I have one workstation on each end, plugged directly into WAN, and another workstation directly plugged into LAN.

    Yes, I have read the Wiki on troubleshooting port forwarding.

    Looking at the logs, I do see connections to the LAN server.  Wondering if we have a routing issue, or something simple that I am missing.  Any thoughts?

    NAT:

    *    *  WAN address 8022  192.168.4.100  22
      *    *  WAN address 80  192.168.4.100 80

    Rules:

    *    *  192.168.4.100  22
      *    *  192.168.4.100  80

    WAN 172.16.0.254/24  GW 172.16.0.1
    LAN  192.168.4.250/24  GW 192.168.4.100

    For both interfaces, I've unchecked 'block private' and 'block bogon'.

    NAT reflection + proxy is enabled.

    Using this firewall internally, to connect to private networks.

    Thank you.



  • If the internal server LAN address 192.168.4.100/24, and the pfsense LAN IP 192.168.4.254/24, that LAN server should have a gateway address of the pfsense LAN IP.

    I try to understand your setup like this:

    Workstation A –--- WAN pfsense LAN ----- Workstation B

    A: IP 172.16.0.1 netmask 255.255.255.0 gateway 172.16.0.1/24
    B: IP 192.168.4.100 netmask 255.255.255.0 gateway 192.168.4.250/24

    Pfsense WAN: 172.16.0.1/24
    Pfsense LAN: 192.168.4.250/24

    If thats not what you meant, please make topology drawings for better understanding on your issues.

    Rgds
    julius



  • Yes, Julius, what you have described is accurate.

    And yes, I have the LAN server pointing to 192.168.4.250 as its default gateway.

    Also, thought I read something about on Pfsense itself (configured in the web gui), to not have a default gateway for the LAN interface or something like that.  Think I tried that already though, then changed it back.

    I've got to be missing something simple here, rebuilt this thing a few times already.

    Looking at the logs, I do see successful connections to 192.168.4.100.  I've also run tcpdump as well, didn't see any errors.

    Thank you for your help.



  • I have made a mistake on workstation A, its gateway IP should be pfsense WAN address. Pfsense LAN should not have gateway. You can try auto NAT on outbound, then create port forwarding from source any, destinantion WAN address with port you want, to redirect to the workstation B port 80.

    Don't use proxy. Fresh install of pfsense should work out of the box which enabling auto NAT outbound, set forwarding, and firewall rules should be sufficient.

    Check also on the pfsense LAN firewall rule, you should open all traffic from LAN side to any for now. I did a simulation on virtual environment and it works ok.

    Do not check the option to block private networks on the WAN interface.

    Below are some snips of the setup I did:

    192.168.1.0/24 (WAN Subnet) –---- (WAN) pfsense (INTNET0) ------ 192.168.10.0/24 (LAN SUBNET)

    My Computer on WAN: 192.168.1.10/24 gateway (pfsense WAN)
    Server on LAN: 192.168.10.100/24 gateway (pfsense INTNET0)

    pfsense WAN: 192.168.1.100/24 (no gateway, disable block private networks)
    pfsense INTNET0: 192.168.10.1 (no gateway)

    a. Don't forget to check 'Enable interface' option on pfsense
    b. Once all machine are interconnected, do a test ping from pfsense to My Computer and Server on LAN
    c. Check Auto NAT outbound on WAN interface.

    d. Create port forwarding rules

    e. Create firewall rules on WAN interface, this usually automatically created during port forwarding rule setup.

    f. Allow all traffic originating from LAN subnet to any.

    That configuration is successful on my side, and of course, do change the IP addressing as you want, the most important thing is do not enable block private network option on WAN interface since you are using private network on both WAN and LAN.

    Hope that helps.


  • Banned

    Stop assigning gateways on your LAN!



  • Removed gateways from both LAN and WAN, but that seems counterintuitive to me (the WAN side to have no default gateway).  Also fyi, afterwards, if I try to ping through the firewall from 192.168.4.100 to 172.16.0.1 , I get 'no route to host' on the server.

    I can however ping the LAN interface from the LAN side, and ping the WAN interface from the WAN side.

    Local firewalls on server and workstation are both disabled.

    Also configured NAT to 'pure NAT'.

    All 'block bogons' and 'block private networks' are unchecked.

    So frustrating, I have a ton of firewall experience, but to no avail.  Feel like I am missing something simple here.

    Anything else I should be looking at?

    Thank you.


  • Banned

    Sigh. You should NOT remove gateways from your WAN. Where did you get that idea in the first place?

    Stop assigning gateways on your LAN!



  • I don't know, think somebody suggested it at some point.

    WAN gateway put back in place.  Still no dice.



  • Also, I have IPv6 disabled completely fyi.



  • I did suggest to remove wan gateway, try putting pfsense in router mode.

    I've test on similar setup to your issue as follow:

    pfSense:
    WAN: 172.16.0.1/24 gateway 172.16.0.254

    LAN:
    192.168.4.250/24, NO GATEWAY

    NAT+Proxy Reflection Mode
    Auto Outbound NAT rule generation
    pfSense Webconfiguration port 88

    Forwarding Rules:
    WAN Address port 80 to 192.168.4.100 port 80
    WAN Address port 8022 to 192.168.4.100 port 22

    WAN rules:
    Allow any to WAN address port 88 tcp (for webconfigurator)
    2 other rules generated automatically during port forwarding

    LAN Firewall Rules:
    Allow any to any, proto any.

    –------

    Workstation A connected to pfsense WAN:
    IP: 172.16.0.254/24 gateway 172.16.0.1

    Workstation B connected to pfsense LAN:
    IP: 192.168.4.100/24 gateway 192.168.4.250



  • How do I put pfsense in 'router mode'?

    Otherwise, I'll setup as you've recommended below, though it's not much different that what I have already setup.

    Thank you.


  • Banned

    This really just works. No need to disable firewall, use router mode, no need for any manual outbound NAT or any similar nonsense.



  • Uhm. Can I know how to set pfsense on router mode? thanks! I can't get my WAN work with my static wan IP.


Log in to reply