Port Forward to WAN on internal address?



  • New install of pfSense, latest version.

    My setup: Modem/Router from ISP - has external address of xxx.xx.xx.xx and assigns an internal IP of 192.168.20.33 to my WAN port in pfSense, LAN port in pfSense is 192.168.1.1.

    I cannot get any of my port forwarding to work (works fine with my old dlink). I am trying to setup RDP to one machine and SSH to another.

    Port Forward is setup like this:

    RDP:
    Source IP & Port: Any
    Destination: Wan Address
    Destination Port: MS RDP
    Redirect IP: 192.168.1.104 <- my windows machine getting it's IP from pfSense DHCP
    Redirect Port: MS RDP

    SSH:
    Source IP & Port: Any
    Destination: Wan Address
    Destination Port: SSH
    Redirect IP: 192.168.1.109 <- my ubuntu machine getting it's IP from pfSense DHCP
    Redirect Port: SSH

    Rules were auto created. I have checked Log packets that are handled by this rule.

    When I try to connect from an external source where I have access to the firewall, I can see the traffic moving out. When I check the firewall logs on pfSense, I see nothing from the IP I am connecting to, nothing on either of the ports (3389 or 22).

    All traffic going outbound works great.

    Not sure what I am doing wrong. Any help would be appreciated.

    Edit: had the wrong LAN port listed, changed from .104 to .1





  • Hi,

    Thanks for your reply. Yes, went through everything in that link, multiple times…even went to the point where I wiped the machine and started over with a fresh install.

    I think it is something to do with the fact that the pfSense WAN port IP is not a public IP but a private one - spoke to my ISP who said they basically have an Any to Any rule setup on their modem that passes all traffic from the public IP to the private IP.



  • Did you uncheck the Block private networks and Block bogon networks in the WAN Interface details?  You have a complimentary firewall rule for each NAT rule you have added?



  • I did uncheck block private networks, I'll believe I still have Block Bogon checked though. I will try unchecking it.

    Yes, I have the rules as well - at work now, but will post what they list as later on.



  • I believe there may be some overlap between private nets and bogons, so unchecking both would be best to test.  Otherwise, please post screenshots of your NAT rules and WAN firewall rules.  Obscure any public IP space before you post them.



  • Unchecked both private and bogon: stiill can't get through.  :(

    Screenshots are attached.





  • LAYER 8 Netgate

    went through everything in that link, multiple times

    The port forward must be done on your ISP router and pfSense.

    Item #8 in Common Problems

    Better yet is to put your ISP router in bridge mode.



  • Talked to my ISP earlier - they were forwarding port 3389 and 22, and have now opened all of the ports (except for 25 and 80) - I am going to ask about bridged mode. The funny thing is I can unplug the pfsense pc and put my old dlink wireless router on and it works fine.


  • LAYER 8 Netgate

    Packet capture on WAN will show the connections coming in if the ISP modem is forwarding the traffic like they say they are.

    You can easily filter for only the outside IP address you are testing from or just, say port 22.



  • So I talked to my ISP, asked them to put their modem into Bridge mode, they did.

    Still not getting through. Ran a packet capture on both 3389 and 22, with the IP from where I was connecting from and with no IP…no traffic seems to be getting through. I then ran the capture with no IP or Port entered and it appears some traffic is flowing:

    20:16:40.768733 IP 74.125.156.54.443 > 192.168.20.33.19055: tcp 1348
    20:16:40.768843 IP 74.125.156.54.443 > 192.168.20.33.19055: tcp 1348
    20:16:40.768958 IP 74.125.156.54.443 > 192.168.20.33.19055: tcp 1348
    20:16:40.773032 IP 192.168.20.33.19055 > 74.125.156.54.443: tcp 0
    20:16:40.773040 IP 192.168.20.33.19055 > 74.125.156.54.443: tcp 0
    20:16:40.773047 IP 192.168.20.33.19055 > 74.125.156.54.443: tcp 0
    20:16:40.773676 IP 74.125.156.54.443 > 192.168.20.33.19055: tcp 1348
    20:16:40.773791 IP 74.125.156.54.443 > 192.168.20.33.19055: tcp 1348
    20:16:40.776783 IP 192.168.20.33.19055 > 74.125.156.54.443: tcp 0
    20:16:40.776906 IP 192.168.20.33.19055 > 74.125.156.54.443: tcp 0
    20:16:40.778504 IP 74.125.156.54.443 > 192.168.20.33.19055: tcp 1348
    20:16:40.778520 IP 162.208.20.242.80 > 192.168.20.33.52620: tcp 0
    20:16:40.778907 IP 192.168.20.33.52620 > 162.208.20.242.80: tcp 783
    20:16:40.783730 IP 74.125.156.54.443 > 192.168.20.33.19055: tcp 1348
    20:16:40.787775 IP 192.168.20.33.19055 > 74.125.156.54.443: tcp 0
    20:16:40.788566 IP 74.125.156.54.443 > 192.168.20.33.19055: tcp 1348



  • I'm a little confused here.  Your port forward is to 192.168.1.104.  Your traces are all referring to the target 192.168.20.33.  None of the ports you are forwarding are being referenced at all.  ???



  • yes, I am not sure what is going on…the 192.168.20.33 is the address of my pfSense WAN port connected directly to the ISP modem.

    another weird thing; i was checking on whatsmyip.org on open ports. i added another rule for VNC to see if i could access that way. On the port scanner everything shows as closed - which makes sense, there are no rules doing the forwarding. The ports that I have made rules for (MSRDP, VNC, SSH) all show as Timed Out instead of closed. Funny enough, and ports http, https & ftp all show as open.


  • LAYER 8 Netgate

    If 192.168.20.33 is your pfSense WAN port then either your modem isn't in bridge mode or your ISP hands out RFC1918 addresses to their customers. In either case an inbound port forward will require:

    Modem not in bridge mode: A port forward on the ISP modem/router

    Modem is in bridge mode: A port forward by your ISP on some globally-routable IP address to your WAN address.



  • Got it sorted out.

    After working with my ISP, they explained that their equipment doesn't actually support bridged mode and they setup a DMZ sort ofand just call it bridged, and then they forward all traffic from public IP to private IP…when going through all of the settings, they realized they were forwarding the public IP traffic to the wrong private IP (the 192.168.20.33 IP) - they set it to the correct IP, and everything is working now.

    Thanks so much for everyone's help!


Log in to reply