Cannot access internet from LAN
-
Problem seems to be sorted after adding an outbound rule into the NAT and rebooting the devel vm.
-
Hmm, although I'm now able to access the outside world from this vm with it's allocated WAN IP address I'm unable to ssh into this box, I've added a firewall pass rule for my ip address with the destination set as the vm's wan IP.
What's weird is that I tried ssh'ing via the pfSense shell and this just created another ssh to pfSense?! I'm guessing something isn't being forwarded quite right but not sure what?
-
Incoming packets on WAN hit the port forwarder before the firewall, in logical terms. So your firewall rule for a forwarded ssh session should have as the destination the internal IP of the vm.
Steve
-
Hi Stephen,
I was under the impression that if I add a port forward rule for SSH and route it to the development vm, I will no longer be able to SSH into any of the other vms? If that's the case that isn't what I want. I want to be able to SSH into any vm that's attached to pfSense by using that vms external IP.
Is this possible?
Cheers
-
Normally this is handled by the 1:1 NAT setup which just port forwards all ports incoming. Like that however you can set the port forward to catch only packets with the destination IP of whichever address you're using for the external IP correlating to the VM. You can have port forwards for each external IP all for SSH.
How are you testing this? If this is a firewall rules problems (normally the 1:1 NAT setting handles that for you) then you will see the traffic being blocked in the firewall logs.
Are you trying to test this from a machine on the pfSense LAN side? If so then see this:
https://doc.pfsense.org/index.php/Why_can%27t_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks%3FSteve
-
I've created a port forwarding rule from any source to the destination of the development vms external IP that redirects to the internal NAT IP of the dev vm on the SSH port and it doesn't seem to work
And I'm testing my my machine which isn't on the same network, I will check the firewall logs and see if they contain anything
-
Ahh nevermind, I'd forgotten to set the source port to 'any' (just woken up!) I'm now getting SSH into the dev vm but the question is, why doesn't the nat 1:1 mapping do this automatically? Why do I need to add a port forward for a nat 1:1 when I've added a pass rule?
-
Good question. You shouldn't need a port forward rule, the 1:1NAT should be forwarding the port anyway. Did you try it before you added a rule?
Do the logs show anything? If it's not a firewall issue it could be a asymmetric routing problem, perhaps your ssh client is not happy that returning packets are arriving from a different address (if they are).Steve
-
The firewall was rejecting the packets until I forwarded the packet using a forward rule even though I already had a firewall pass rule and a nat 1:1.
-
The firewall was rejecting the packets until I forwarded the packet using a forward rule even though I already had a firewall pass rule and a nat 1:1.
Then your firewall rule was wrong, NAT applies first, private destination is probably what you missed.
