WAN port forward ton LAN ips (multi wan).

JeGr

Your humble servant ;D
Always a pleasure.

hoba

Actually it is from source any to destination NAT IP. NAT is applied first, after that firewallrules are applied.

In you case your WAN rule should look like:
pass, interface WAN1, proto tcp, source IP any, sourceport any, destination IP 192.168.1.10, port 80 for the webserver example.

Btw, now as I look closer, why do you want to forward port 3000 to the pfsense's LAN IP itself? What is running at 3000? For these kind of things you only need to allow traffic to the WAN IP of the pfsense. no NAT rule is needed.

And another btw, it's always the easiest thing to let the pfSense create the firewallrules. Just make sure "autocreate firewall rule" at the bottom when adding a portforward is checked.

JeGr

Indeed a question, which slipped my attention. Shouldn't post after midnight make mental note

Right, you shouldn't need a NAT Rule for this, only if you want to redirect past pfsense to another network, you'll need these NAT redirects. But as I read your first post, you would like to RDR port 3000 to 192.168.1.90 so I suppose it was just a quick test, if rules work, wasn't it?

hoba

I suggest restarting from scratch. Delete all firewall rules you made for the NATs so far. Also deleta all NATs. Then apply your settings.
After that add the portforwards just to the WAN1 and WAN2 as needed and let the firewallrules be autocreated. It's really not a very difficult task to get this running.  ;)

JeGr

I guess the Zyxel are DSL Routers (or they route somehow, but DSL modems normally don't hand out private IP ranges ;) )
I further guess - based on your information - your net looks something like that, eh?

     NET           NET
      |             |
+-----+-----+ +-----+-----+
| DSL-Router| | DSL-Router|
+--------+--+ +--+--------+
   .3.1  |       | .2.1
         |       |
   OPT1  |       | WAN
         |       |
   .3.2  |       | .2.2
       +-+-------+-+
       |  PFSENSE  |
       +-----+-----+
             | 192.168.1.1
             |
             |          +--------------------+
             +----------+      Switch        |
                        +--------------------+        
                                 |  |
                     +----+      |  |      +----+
       192.168.1.90  + PC +------+  +------+ PC +  192.168.1.10
                     +----+      |  |      +----+
                                 |  |
                    others ------+  +------ others (192.168.1.110)

So you have redundant (or two seperate) DSL lines. One should be WAN, the other OPT1 (as pfSense calls it). If thats the case, that shouldn't do much trouble. As hoba already said, just let pfSense create the rule of your NAT redirect, it normally knows how to do it right ;)
If it won't work, check both Zyxel, if they route all traffic to pfSense. And also watch the logs carefully (perhaps via SSH login and watching pflog output, too) why a packet is blocked (klicking on the little icon in pfSenses logview will tell you which rule caused it)

Hope that helps,
Grey

analyzerx

I'll start from scratch tomorrow morning in any case… ^_^
It works now and I've understood some stuff much better...

Grey the network is exactly like you drew it... (btw how did you do the diagram? :P)

Both your advice are excellent and I cannot thank you enough for your help! :)
My biggest mistake was mixxing up source and target networks... I was creating wrong firewall rules...
Allowing pfsense to make the rules would be easy indeed... but it didn't work the first time I tried it, (some other mistake) so I gave up on it! :P)
hehe~

ps. hoba the 3000 port is just a test! :P my ISP doesn't allow ports 80,81 and 8080 to be used so I had to play with something else until my static ips kick in! :P

Thanks again guys!

JeGr

As you like to say "I did it from scratch" - so to speak. I just like things to be crystal clear when it comes to network problems ;) So I have a few small ASCII text network diagrams ready to explain things better than only writing the facts :) Just a faible - but a helpful one. It helps me understand problems and others explaining my faults in guessing the facts  ;D

So I'm glad it was helpful.
Greets
Grey

hoba

You have them "ready"? Great, you should post them somewhere so people can refere to it or copy and paste to describe things  :D

JeGr

I'll try to make a few for different setups :) Only have to think 'bout where to put them. Any hint?

analyzerx

I could uploaded them on my server with your name and stuff if you'd like… :)
Just contact me! :)