Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Firewall (nat) -> pfsense-FW -> local computers (How do i forward ports?)

    General pfSense Questions
    2
    3
    1.1k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      kallegr
      last edited by

      Hello,

      we´ve got a Fortinet-Firewall with 3 Interfaces (WAN, LAN, DMZ). there are portforwardings from WAN to LAN!!!

      WAN (Internet)
      (((Fortinet)))  DMZ (192.168.1.1)
      LAN (10.10.10.1) 
        |
      local computers/fileserver (10.10.10.x/24)

      yet on LAN (10.10.10.1) are normal computers and some (file-server, sql-server)

      now, we would like to implement pfsense with captive-portal between lan on fortinet-firewall and local computers.

      new configuration should look a bit like this:

      WAN
      (((Fortinet))) DMZ (192.168.1.1) –- DMZ (192.168.1.x/24)
      LAN
        |
      WAN
      (((pfsense)))
      LAN (10.10.10.1)
        |
      local computers (10.10.10.x/24)

      some conditions:
      1. Fortinet will stay
      2. Bridging WAN/LAN-Ports on pfSense is no option, as transparent proxy won´t work with that
      3. subnet of lan (10.10.10.x) could not be changed

      • how can i do the portforwarding from WAN to LAN(10.10.10.x), if there is a new pfsense between fortinet and local computers.
      • local computers from (10.10.10.x) should be able to get the DMZ (192.168.1.x) - i think this will work with routing...

      main problem is: how do i forward ports from WAN (fortinet) to LAN (10.10.10.x) behind pfsense firewall…

      thank you

      kallegr

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        @kallegr:

        Hello,

        we´ve got a Fortinet-Firewall with 3 Interfaces (WAN, LAN, DMZ). there are portforwardings from WAN to LAN!!!

        WAN (Internet)
        (((Fortinet)))  DMZ (192.168.1.1)
        LAN (10.10.10.1) 
          |
        local computers/fileserver (10.10.10.x/24)

        yet on LAN (10.10.10.1) are normal computers and some (file-server, sql-server)

        now, we would like to implement pfsense with captive-portal between lan on fortinet-firewall and local computers.

        new configuration should look a bit like this:

        WAN
        (((Fortinet))) DMZ (192.168.1.1) –- DMZ (192.168.1.x/24)
        LAN
          |
        WAN
        (((pfsense)))
        LAN (10.10.10.1)
          |
        local computers (10.10.10.x/24)

        some conditions:
        1. Fortinet will stay
        2. Bridging WAN/LAN-Ports on pfSense is no option, as transparent proxy won´t work with that
        3. subnet of lan (10.10.10.x) could not be changed

        • how can i do the portforwarding from WAN to LAN(10.10.10.x), if there is a new pfsense between fortinet and local computers.

        That's a question for fortinet since that's where NAT is going to have to happen between fortinet WAN and 10.10.10.X

        • local computers from (10.10.10.x) should be able to get the DMZ (192.168.1.x) - i think this will work with routing…

        main problem is: how do i forward ports from WAN (fortinet) to LAN (10.10.10.x) behind pfsense firewall…

        Fortinet problem.  You should just disable NAT on pfSense and tell your fortinet to route 10.10.10.X to whatever pfSense's WAN address is on LAN.  I know exactly what NAT rules and routes you would need on pfSense.  Fortinet, not so much.  Sorry.

        And I'm not sure you're using the term portforwarding correctly.  port forwarding usually implies inbound connections on WAN forwarded to private hosts.  Doing that to captive portal-bound hosts that might or might not have an active captive portal entry sounds like a total cluster.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • K
          kallegr
          last edited by

          Thank you!

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.