Opening 3 ports on multi WAN/multi LAN to one computer behind firewall



  • Here is my setup:

    Latest version of pfSense with WAN1 and WAN2 plus LAN1 and LAN2 each on separate network cards. No virtual networks.

    WAN1 and WAN2 are connected via PPPoE and have public IP addresses.

    WAN1 and WAN2 has been set up as load balancing for LAN1.

    I need to be able to connect from the outside to a specific computer on the inside. And I need 3 ports to be opened. The computer has a fixed, internal IP.

    I have set up DDNS via dns.he.net and it is updating correct on WAN1

    I have set up ping on WAN1 and if I turn it on, I get answers when I use the DDNS address I set up. So far, everything is correct.

    But I have probably tried so many things over the last weeks that I am getting completely confused as to how this needs to be done. A kind of vertigo, I guess (my native language is not English, so I get some concepts wrong now and then :-)  ). Searching here does not bring up anything that sounds like my setup.

    So I need a little help on how to open the ports (I guess I need to open it on WAN1…?), but also how to make sure that the computer stay with WAN1 as the outgoing gateway - as LAN1 is using load balancing... Or do I need to worry about that at all?

    I feel I am running around in circles right now. The one thing I have made sure of, is that I do not leave any of the rules I have set up active if they do not work. So the firewall is clean and intact :-)

    If you have a little time, I would appreciate some pointers on setting this up. I don't have too much hair left to pull out...



  • If you only plan on connecting to these three ports through WAN1 then you can just create the NAT rules and forward those ports to the computer on your LAN. Just choose the correct WAN connection you want to use under "Interface" and it will work.

    You can create a rule for each WAN connection and forward them to the same LAN IP then it will allow you to access the same pc from either WAN1 or WAN2's IP



  • Last answer got lost when trying to save it. So I try again…

    I did not even think of using the NAT part and went straight for the rules section...

    Anyway, I set up a rule, but when I test via a net based testing tool if the port is open, the answer is always no.

    Will try to attach a screenshot here. I change the addresses, so it should be fine. Feel free to write all over it! Hmmm... Website here is crashing when I try to embed an image...



  • May sound like a dumb question, but have you verified that the port is open on the PC's firewall. Can't tell you how many times I went through all the complicated steps just to overlook what should have been first.



  • @mikeee404:

    May sound like a dumb question, but have you verified that the port is open on the PC's firewall. Can't tell you how many times I went through all the complicated steps just to overlook what should have been first.

    It is a very relevant question, but yes, I have verified it  :)

    Will try again to make a screenshot and find a way to post it.



  • @Oceanwatcher:

    Last answer got lost when trying to save it. So I try again…

    I did not even think of using the NAT part and went straight for the rules section...

    Anyway, I set up a rule, but when I test via a net based testing tool if the port is open, the answer is always no.

    Will try to attach a screenshot here. I change the addresses, so it should be fine. Feel free to write all over it! Hmmm... Website here is crashing when I try to embed an image...

    Here is a link: http://tinyurl.com/natrules


  • Netgate

    Try changing the destination Type: in the NAT rule from "any" to "WAN address".



  • @Derelict:

    Try changing the destination Type: in the NAT rule from "any" to "WAN address".

    Thank you for the suggestion. Yes, that was the way it was in the beginning. And I changed it again now just to test. Still getting that the port is closed when testing it… (using a web based testing tool).

    Seriously thinking about disabling WAN2 and test without it to find out if it is the extra wan that is causing problems.

    I enabled ICMP on WAN just to test, and I got ping answer when trying it from my home. But adding the same as a NAT rule and try to get an answer from the PC does not work. I do get an answer from it if I am on the inside of the network using the private IP address...


  • Netgate

    Need more details as to your config.  This stuff just works so without seeing your config it's impossible to know what's not right.  WAN interface, LAN interface, WAN Rules, LAN Rules, ipconfig /all (or equivalent) on the server, etc.

    Anyway, I set up a rule, but when I test via a net based testing tool if the port is open, the answer is always no.

    What does this testing tool do?  If it's a web page that tests your source IP address for an open port you might be egressing on the other WAN and screwing it up.



  • What version of PfSense are you running? If it's 2.2 beta then I believe there a problem there. I have had issues as well. If you are running 2.1.5 then it should be pretty straight foward.



  • @mikeisfly:

    If it's 2.2 beta then I believe there a problem there. I have had issues as well. If you are running 2.1.5 then it should be pretty straight foward.

    Exact, we are awaiting for the fix in 2.2beta.