[Help] - Can't access external IP

gimomars · Sep 22, 2015, 3:07 AM

Hi experts, I need some help. We are trying to access our in-house web application outside the network. But it seems we cannot access it. Attached is our firewall Port forward, the highlighted is our WAN to access the web app from 192.168.0.31:81. In our DSL Router, it is also port forwarded. Our network setup now is "DSL Router(ISP) - (WAN) > pfSense > router(LAN) > Switch > client" But locally, we are able to access our web app.

gimomars · Sep 22, 2015, 6:05 AM

Anyone please?

Derelict · Sep 22, 2015, 6:09 AM

Good list of things to check here:

https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

You are going to have to show that the DSL device is actually forwarding the port (packet capture on WAN) before anyone will feel like helping you.

chris4916 · Sep 22, 2015, 6:22 AM

NAT deosn't work like this ???

Reading what you wrote as NAT rule, you are forwarding to internal address (192.168.0.32) everything reaching WAN interface with destination being "LAN address on port 81".

I seriously doubt this will ever catch anything because such destination address should never reach you WAN interface ;)

Destination address should rather be either your public IP, depending on how your DSL device behaves or at least your pfSense external IP, IMHO ;)

Derelict · Sep 22, 2015, 6:36 AM

Yup. I missed that. I get confused because the firewall rules on WAN are the Real IP of the server, not the WAN address.

Those port forwards are wrong, as has been pointed out ^^. The destination address should be WAN address and the NAT address should be the real IP address of the server.

gimomars · Sep 22, 2015, 7:07 AM

Hi guys, thanks for the reply. Here's the output. But still can't access it outside. :(
Here's my setup:

The 124.xx.xx.xx is our public IP and the 192.xx.xx.xx is our web app server.

Also, I've tried it vice versa.

chris4916 · Sep 22, 2015, 7:17 AM

:D this idea is not to try everything plus the opposite until it works :P

It looks better to me now but still this requires to get the whole understanding.
This IP is your public IP. So far so good.
The very first step is to ensure that your DSL device will either act as a gateway or route requests reaching external interface to pfSense external interface.
Once this is done, you should be able to see, looking at pfSense log, such request reaching pfSense.

This is clearly the prerequisite. Don't waste time trying further is this doesn't work.

Derelict · Sep 22, 2015, 7:31 AM

Again, we don't know if the ISP router is actually forwarding the port.

gimomars · Sep 22, 2015, 8:23 AM

Thanks to all specially to chris. Already working. ;)

chris4916 · Sep 22, 2015, 8:39 AM

Some more detailed feedback for those potentially facing similar issue:

as suspected and highlighted by Derelict, problem was misalignment between DSL device and pfSense. In order to reach internal web service, if DSL device acts as a router, 2-steps NAT is required. One from internet to pfSense and one from pfSene to internal server.

This needs to be consistent all along the path however paying attention not to open everything in order to grant access ;)