Firewall rules not working (SSH/HTTP)

Blaze9 · Apr 15, 2015, 7:08 AM

Hey guys,

I've setup a pfSense server on a station with 4 NICs. (wan, lan, opt1, opt2). My WAN is supplied by my university, and my WAN IP of the box is 10.147.2.10 (supplied by uni's DHCP). I'm trying to access the pfSense box from the WAN (from a machine "WS1" who has an IP of 10.147.4.110). I have created the following firewall rules:

Action -> Pass
Interface -> WAN
TCP/IP -> IPv4
Protocol -> TCP
Source -> WAN Address
Dest -> WAN Address
Port Range -> 9090 (what I set the webUI server to use)

I hit save and then apply. However when I try to access the webUI from WS1 I get a cannot load page, connection timed out.

I also tried setting up remote SSH to the box with the same setup as before aside from the change of ports (9191 for example) but I can't SSH into the box either.

I have a cluster of blades sitting on the LAN port, and I configured NAT forwarding for a few SSH servers on the blades. I can access those blades from WS1. But I can't SSH into pfSense…

Can anyone help me out here? my LAN NAT rules are working perfectly. SSH/HTTP/SQL on the blade cluster are able to be accessed using the pfSense box's WAN ip from WS1, however I cannot access the pfSense HTTP/SSH servers from WAN at all. I can access pfSense HTTP/SSH from all 3 NICs (LAN/OPT1/OPT2).

Thank you for your help.

Derelict · Apr 15, 2015, 7:27 AM

Source should be any unless you want to allow connections only from 10.147.4.110, in which case source should be Single host or alias: 10.147.4.110

Blaze9 · Apr 15, 2015, 7:42 AM

@Derelict:

Source should be any unless you want to allow connections only from 10.147.4.110, in which case source should be Single host or alias: 10.147.4.110

Sorry, yes, the source is the 10.147.4.110, not WAN address, that was a typo. I also set it to any, but still nothing.

I went to the firewall log, and added the pass rule from there, didn't do anything either. Under firewall log, if I click the info button for the attempted connection, it says cannot resolve under the WAN ip of the pfSense box.

From LAN, OPT1 and OPT2 I can access the webUI using the WAN IP of the box "10.147.2.177", but from outside the LANs I still can't.

Derelict · Apr 15, 2015, 7:47 AM

Are you sure this isn't some isolation or filtering done on the "WAN" network?

Blaze9 · Apr 15, 2015, 7:49 AM

What do you mean by isolation or filtering? Do you mean that the university is blocking access? I don't think that's the case because I am able to access the blade cluster sitting behind the pfSense box using the WAN IP of the pfSense box from WS1.

Derelict · Apr 15, 2015, 7:51 AM

Filtering on the "WAN" that prevents clients on the same network from communicating.

Do you have Block private netwoeks disabled on WAN?

Blaze9 · Apr 15, 2015, 7:54 AM

@Derelict:

Filtering on the "WAN" that prevents clients on the same network from communicating.

Do you have Block private netwoeks disabled on WAN?

DOH! So simple. Thank you so much!!!