WAN to LAN access
-
I'm trying to map an external IP address from my ISP to an internal IP address of a server for remote access by others. The external IP is on a different subnet mask from my internal IP address.
I thought I had it figured out but I'm still not getting the connection.
I made a NAT rule on WAN interface, Source any, Destination type as network with the external IP address and the /29 subnet mask (255.255.255.249)
Then added the Redirect IP of the internal IP address to my server. I tried using the automatic generated firewall rule for the WAN but when I look at it, the internal IP address has a subnet mask of /31 not /24. That's when I had the idea of making a firewall rule under LAN that directed any WAN traffic to the network address of my internal IP address with the /24.
Like I said I thought I had it figured out but I've tried so many times now, I'm just confused.
Please help.
-
Is this public IP address your pfSense WAN address? If not, did you create an IP Alias for this IP address so that pfSense could impersonate it?
It's not that hard. First you create the port forward (Firewall - NAT - Port Forward) to create the mapping from WAN to LAN, and then you create the firewall rule to allow the traffic to pass. Post some sanitized screens of your Port Forward screen and your WAN rules.
https://doc.pfsense.org/index.php/How_can_I_forward_ports_with_pfSense
https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting
-
Is this public IP address your pfSense WAN address? It is not the IP address of my gateway but it is an IP address given to me from my ISP that I can use that is on the same subnet. I have a total of 3 I can use. The problem I think I'm running into is that the external subnet mask is different from the internal. 255.255.255.249 and 255.255.255.0 respectively.
So I create an alias for the IP address I want to use under Host(s). Then use the the alias to NAT WAN to LAN. Should I use the automatic rule maker or make one myself? Do you think I need a rule under the LAN too or just WAN?
I'll get back with the screen shots.
Thanks..
-
So I create an alias for the IP address I want to use under Host(s).
What do you mean by this, exactly? Usually when you have several IP addresses from your ISP, you create Virtual IPs, specifically IP Aliases which are not to be confused with general aliases used for such things as hosts and networks. You then use the IP Alias as the Destination for your port forward. Stick to the Automatic firewall rule generator unless you really know what you're doing. You odn' tneed a LAN rule for a port forward.
-
I am a firewall novice so I will explain best I can.
With my old firewall and old ISP I could use any one of the IP address in our range. I would then most often use a 1:1 mapping of the external and internal IPs. Easy for me. Then I would NAT the port I wanted to use between the 2 IP addresses.
I have never tried using virtual IPs but am willing to try. Currently I am trying to just map the IP address I have to the internal IP associated with the server I'm trying to give access to. That is probably where I'm going wrong. And yes I understand that I will use the alias as the destination for the port forward.
I'll do some more research/reading on virtual IPs and give that a try.
-
pfSense only knows about the IP addresses you make it aware of. If you want it to listen on other IP addresses that are not already associated with an interface then you need to add them as Virtual IPs.
https://doc.pfsense.org/index.php/What_are_Virtual_IP_Addresses
You then use the virtual IP address as the destination for your NAT rule.