Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Nating from Wan1 to Wan3

    Scheduled Pinned Locked Moved NAT
    23 Posts 2 Posters 3.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • I
      InserTec
      last edited by

      Hi and thanks for the posible responses  ;)

      I have a PFSense with 3 WAN and 1 LAN

      I can make a firewall-nat in WAN1 to forward port 80 to LAN ip (all ok) [WAN1 192.168.2.1 80 -> LAN 192.168.1.10 80]

      In WAN3 [192.168.15.1] i have in production a VPN and can ping correctly to ip 10.14.64.33

      To access from LAN to WAN3 (vpn 10.14.64.33) i make this:
        firewall-rules -> LAN
        add rule: Pass, Interface LAN, Protocol TCP/UDP, Source any, Destination 10.14.64.33, Gateway WAN3
      From LAN works all ok

      Now my question and my problem.
      I like nat from Wan 1 port 8080 to Wan3 (10.14.64.33 Gateway Wan3) port 8080

      I make this, but not work.
      In System->Advanced->Firewall/Nat:
        Uncheck: Disable NAT Reflection for port forwards
        Uncheck: Disable NAT Reflection for 1:1 NAT

      In Firewall-Nat -> Port-Fordward
        add rule: Interface WAN1, Protocol TCP/UDP, Destination WAN3 Address, Destination port range 8080 8080, Redirect Target Ip 10.14.64.33, Redirect target port 8080, Nat reflection enabled.
        in filter rule association, i modificate to gateway WAN3

      But if i make a telnet in wan1 to 8080 not work  :-[

      I test, checking again In System->Advanced->Firewall/Nat Disable Nat Reflection, but not work
      I have no idea why not work

      Can i help me?

      Thanks for all your time and sorry for my horrible english.

      1 Reply Last reply Reply Quote 0
      • D
        doktornotor Banned
        last edited by

        Completely broken idea. Kindla produce some network diagram and state the purpose of what you are doing.

        1 Reply Last reply Reply Quote 0
        • I
          InserTec
          last edited by

          Thanks for your response !

          MODEMROUTER (EXTERNAL IP -> 192.168.2.1)
          PFSENSE WAN1 (192.168.2.2 PE 192.168.2.1)

          CISCO891 (EXTERNAL IP -> 192.168.15.1) [VPN LAN2LAN 192.168.15.0 0.0.0.255 can access 10.14.64.33)
          PFSENSE WAN3 (192.168.15.2 PE 192.168.15.1)

          PFSENSE LAN (192.168.1.1… 192.168.1.x lan pcs)


          WORKS:
          FROM WAN1 EXTERNAL TO LAN OK (Standard nat forward)
          FROM LAN TO WAN3 10.14.64.33 OK (Firewall rule lan to 10.14.64.33 GW Wan3)

          NOT WORKS:
          TRAFIC FROM EXTERNAL IP ANY WAN1 PORT 8080 TO WAN3 10.14.64.33 8080

          Do you need some information?

          Thanks very much for your help.

          1 Reply Last reply Reply Quote 0
          • D
            doktornotor Banned
            last edited by

            @InserTec:

            Do you need some information?

            Yeah. The information I already requested above would be a good start. Good luck.

            1 Reply Last reply Reply Quote 0
            • I
              InserTec
              last edited by

              Thanks !

              I attached a schema of the lan.-

              I like go from ip x.x.x.x (External ip Wan1) port 8080 redirect and response to Wan3 10.14.64.33 8080

              This is the idea… but my execution not work..

              Thanks for your time !

              ![RED INSER Esquema 4.jpg](/public/imported_attachments/1/RED INSER Esquema 4.jpg)
              ![RED INSER Esquema 4.jpg_thumb](/public/imported_attachments/1/RED INSER Esquema 4.jpg_thumb)

              1 Reply Last reply Reply Quote 0
              • D
                doktornotor Banned
                last edited by

                1/ I do not understand what's PE.
                2/ Your LAN and WAN1 is on the same subnet -> broken.
                3/ WTH is that 0.0.0.255 PCs LAN netmask?  :o
                4/ You still have not explained what's the purpose of the WAN -> WAN NAT you are trying to do there.

                1 Reply Last reply Reply Quote 0
                • I
                  InserTec
                  last edited by

                  Uff, sorry… i mix the pression and spanenglish... sorry for that !

                  I attach the good schema.-

                  The purpose is all internet go to external wan1 port 8080, response from server in wan3 (vpn 10.14.64.33 8080)

                  Thansk and sorry ;-(

                  ![RED INSER Esquema 5.jpg_thumb](/public/imported_attachments/1/RED INSER Esquema 5.jpg_thumb)
                  ![RED INSER Esquema 5.jpg](/public/imported_attachments/1/RED INSER Esquema 5.jpg)

                  1 Reply Last reply Reply Quote 0
                  • D
                    doktornotor Banned
                    last edited by

                    Well, response from server… I cannot see any server on the diagram. Where's the server? What's that 8080? Are you running two separate proxies somewhere??? And where?

                    1 Reply Last reply Reply Quote 0
                    • I
                      InserTec
                      last edited by

                      Thanks for your pacience  :)

                      The new schema..

                      All the subnet of wan3 192.168.15.x can access to 10.14.64.33 (all ports)

                      ![RED INSER Esquema 6.jpg](/public/imported_attachments/1/RED INSER Esquema 6.jpg)
                      ![RED INSER Esquema 6.jpg_thumb](/public/imported_attachments/1/RED INSER Esquema 6.jpg_thumb)

                      1 Reply Last reply Reply Quote 0
                      • D
                        doktornotor Banned
                        last edited by

                        Let me clarify:

                        So, you have some webserver (???) running on port 8080 which is only accessible via the (unknown flavour of) VPN with RFC1918 (non-public) IP? And you are trying to access that from public IP space via the (at least) triple NAT (modem -> WAN1 -> OpenVPN)?

                        1 Reply Last reply Reply Quote 0
                        • I
                          InserTec
                          last edited by

                          Yes, is correct.

                          ExternalIp-Modem -> Wan1 -> (Pfsense) -> Wan3 (Cisco) by vpn tunnelled ip nated 192.168.15.1 <-> 10.14.64.33

                          Thanks very very much for your time.

                          I attach the rule from lan to 8080 server working ok.-
                          I need from external ip Wan1 access to this server.-

                          ![Captura de pantalla 2015-06-03 a la(s) 12.18.25.png](/public/imported_attachments/1/Captura de pantalla 2015-06-03 a la(s) 12.18.25.png)
                          ![Captura de pantalla 2015-06-03 a la(s) 12.18.25.png_thumb](/public/imported_attachments/1/Captura de pantalla 2015-06-03 a la(s) 12.18.25.png_thumb)
                          ![Captura de pantalla 2015-06-03 a la(s) 12.18.34.png](/public/imported_attachments/1/Captura de pantalla 2015-06-03 a la(s) 12.18.34.png)
                          ![Captura de pantalla 2015-06-03 a la(s) 12.18.34.png_thumb](/public/imported_attachments/1/Captura de pantalla 2015-06-03 a la(s) 12.18.34.png_thumb)

                          1 Reply Last reply Reply Quote 0
                          • D
                            doktornotor Banned
                            last edited by

                            Can you bridge that modem on WAN1 to get rid of at least one level of NAT?

                            1 Reply Last reply Reply Quote 0
                            • I
                              InserTec
                              last edited by

                              Now is not possible bridge the modem  :-[, only i can make a dmz

                              1 Reply Last reply Reply Quote 0
                              • D
                                doktornotor Banned
                                last edited by

                                Is manual NAT (port forward) possible on the modem?
                                What kind of VPN are you using for the LAN-to-LAN VPN?

                                I do think this kind of setup is meaningful, or reliable, or anything even remotely close to sane state… Good luck.

                                1 Reply Last reply Reply Quote 0
                                • I
                                  InserTec
                                  last edited by

                                  Yes is posible.
                                  Now i have configurate a dmz to 192.168.2.2, can i disable and make a manual port forward.

                                  1 Reply Last reply Reply Quote 0
                                  • D
                                    doktornotor Banned
                                    last edited by

                                    What's the VPN?

                                    1 Reply Last reply Reply Quote 0
                                    • I
                                      InserTec
                                      last edited by

                                      I not understand the question.

                                      The vpn work fine and joins two buildings with other ftth lines.
                                      I only have access to lan of cisco, in 192.168.15.1 as gateway and go correctly to 8080 server in the ip of other building 10.14.64.33.

                                      Sorry my english is horrible and in the vpn im very limited. I only hace access to 192.168.15.x and 192.168.15.1 as gateway to go to the server port 8080.

                                      1 Reply Last reply Reply Quote 0
                                      • D
                                        doktornotor Banned
                                        last edited by

                                        @InserTec:

                                        I not understand the question.

                                        OpenVPN? IPsec? PPTP? Something else? Or, the VPN is not on pfSense at all?

                                        Well, maybe someone else. There's also Spanish subforum here.

                                        1 Reply Last reply Reply Quote 0
                                        • I
                                          InserTec
                                          last edited by

                                          Vpn Ipsec and not pfsense is a cisco router 891.
                                          Is connected from lan of cisco to a lan (hardware rj45) in pfsense and i call wan3.

                                          1 Reply Last reply Reply Quote 0
                                          • D
                                            doktornotor Banned
                                            last edited by

                                            @InserTec:

                                            Is connected from lan of cisco to a lan (hardware rj45) in pfsense and i call wan3.

                                            Calling something WAN when it's in fact NOT a WAN really does NOT help. When you say WAN here -> something usable for generic internet access.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.