Nating from Wan1 to Wan3
-
Hi and thanks for the posible responses ;)
I have a PFSense with 3 WAN and 1 LAN
I can make a firewall-nat in WAN1 to forward port 80 to LAN ip (all ok) [WAN1 192.168.2.1 80 -> LAN 192.168.1.10 80]
In WAN3 [192.168.15.1] i have in production a VPN and can ping correctly to ip 10.14.64.33
To access from LAN to WAN3 (vpn 10.14.64.33) i make this:
firewall-rules -> LAN
add rule: Pass, Interface LAN, Protocol TCP/UDP, Source any, Destination 10.14.64.33, Gateway WAN3
From LAN works all okNow my question and my problem.
I like nat from Wan 1 port 8080 to Wan3 (10.14.64.33 Gateway Wan3) port 8080I make this, but not work.
In System->Advanced->Firewall/Nat:
Uncheck: Disable NAT Reflection for port forwards
Uncheck: Disable NAT Reflection for 1:1 NATIn Firewall-Nat -> Port-Fordward
add rule: Interface WAN1, Protocol TCP/UDP, Destination WAN3 Address, Destination port range 8080 8080, Redirect Target Ip 10.14.64.33, Redirect target port 8080, Nat reflection enabled.
in filter rule association, i modificate to gateway WAN3But if i make a telnet in wan1 to 8080 not work :-[
I test, checking again In System->Advanced->Firewall/Nat Disable Nat Reflection, but not work
I have no idea why not workCan i help me?
Thanks for all your time and sorry for my horrible english.
-
Completely broken idea. Kindla produce some network diagram and state the purpose of what you are doing.
-
Thanks for your response !
MODEMROUTER (EXTERNAL IP -> 192.168.2.1)
PFSENSE WAN1 (192.168.2.2 PE 192.168.2.1)CISCO891 (EXTERNAL IP -> 192.168.15.1) [VPN LAN2LAN 192.168.15.0 0.0.0.255 can access 10.14.64.33)
PFSENSE WAN3 (192.168.15.2 PE 192.168.15.1)PFSENSE LAN (192.168.1.1… 192.168.1.x lan pcs)
WORKS:
FROM WAN1 EXTERNAL TO LAN OK (Standard nat forward)
FROM LAN TO WAN3 10.14.64.33 OK (Firewall rule lan to 10.14.64.33 GW Wan3)NOT WORKS:
TRAFIC FROM EXTERNAL IP ANY WAN1 PORT 8080 TO WAN3 10.14.64.33 8080Do you need some information?
Thanks very much for your help.
-
Do you need some information?
Yeah. The information I already requested above would be a good start. Good luck.
-
Thanks !
I attached a schema of the lan.-
I like go from ip x.x.x.x (External ip Wan1) port 8080 redirect and response to Wan3 10.14.64.33 8080
This is the idea… but my execution not work..
Thanks for your time !
 -
1/ I do not understand what's PE.
2/ Your LAN and WAN1 is on the same subnet -> broken.
3/ WTH is that 0.0.0.255 PCs LAN netmask? :o
4/ You still have not explained what's the purpose of the WAN -> WAN NAT you are trying to do there. -
Uff, sorry… i mix the pression and spanenglish... sorry for that !
I attach the good schema.-
The purpose is all internet go to external wan1 port 8080, response from server in wan3 (vpn 10.14.64.33 8080)
Thansk and sorry ;-(
 -
Well, response from server… I cannot see any server on the diagram. Where's the server? What's that 8080? Are you running two separate proxies somewhere??? And where?
-
Thanks for your pacience :)
The new schema..
All the subnet of wan3 192.168.15.x can access to 10.14.64.33 (all ports)
 -
Let me clarify:
So, you have some webserver (???) running on port 8080 which is only accessible via the (unknown flavour of) VPN with RFC1918 (non-public) IP? And you are trying to access that from public IP space via the (at least) triple NAT (modem -> WAN1 -> OpenVPN)?
-
Yes, is correct.
ExternalIp-Modem -> Wan1 -> (Pfsense) -> Wan3 (Cisco) by vpn tunnelled ip nated 192.168.15.1 <-> 10.14.64.33
Thanks very very much for your time.
I attach the rule from lan to 8080 server working ok.-
I need from external ip Wan1 access to this server.- 12.18.25.png)
 12.18.25.png_thumb)
 12.18.34.png)
 12.18.34.png_thumb) -
Can you bridge that modem on WAN1 to get rid of at least one level of NAT?
-
Now is not possible bridge the modem :-[, only i can make a dmz
-
Is manual NAT (port forward) possible on the modem?
What kind of VPN are you using for the LAN-to-LAN VPN?I do think this kind of setup is meaningful, or reliable, or anything even remotely close to sane state… Good luck.
-
Yes is posible.
Now i have configurate a dmz to 192.168.2.2, can i disable and make a manual port forward. -
What's the VPN?
-
I not understand the question.
The vpn work fine and joins two buildings with other ftth lines.
I only have access to lan of cisco, in 192.168.15.1 as gateway and go correctly to 8080 server in the ip of other building 10.14.64.33.Sorry my english is horrible and in the vpn im very limited. I only hace access to 192.168.15.x and 192.168.15.1 as gateway to go to the server port 8080.
-
I not understand the question.
OpenVPN? IPsec? PPTP? Something else? Or, the VPN is not on pfSense at all?
Well, maybe someone else. There's also Spanish subforum here.
-
Vpn Ipsec and not pfsense is a cisco router 891.
Is connected from lan of cisco to a lan (hardware rj45) in pfsense and i call wan3. -
Is connected from lan of cisco to a lan (hardware rj45) in pfsense and i call wan3.
Calling something WAN when it's in fact NOT a WAN really does NOT help. When you say WAN here -> something usable for generic internet access.
-
please, dont bother with me :'(
Yes, this not is a wan… not resolve internet access only a lan in other building.
Sorry -
As hinted above, perhaps posting in the Spanish subforum would get you better understanding…
Provided you can somehow get the traffic across the modem (DMZ, NAT), try with the following NAT rule:
Interface WAN1
Protocol: TCP
Destination: WAN1 Address
Destination port 8080
Redirect Target IP: 10.14.64.33
Redirect target port 8080Now, you also need a static route set up to 10.14.64.0/24 via the "WAN3".
https://doc.pfsense.org/index.php/Static_Routes
-
Ok Thanks very much doktornotor.
I prepare a post for the spanish forum.
Thanks for your time. :D