Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Can't connect from network to wan address

    Scheduled Pinned Locked Moved
    Firewalling
    2
    4
    1.9k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      wilpig
      last edited by

      I think this is the right place for this question but I am not sure so if not please direct me in the right location.

      I just installed 1.2 and everything appeared to be working great until I tried to get to one of the webservers here and realized I couldn't reach it.  First I thought it was just an error with squid but after I disabled squid I realized the problem was much larger.  I can reach the servers from the internet just not from inside the network behind the pfsense box.

      First I have 5 IPs on my public interface.  I can only ping two of them from the internet.  I can only ping one of those five addresses from inside the network, that is the IP that is listed on the wan interface.  Instead of trying to explain my setup with a wall of text I drew it up really quick and saved it as a pdf.

      http://wilpig.org/temp/firewallsetup.pdf

      I believe I have all of the firewall rules set correctly.  I put in two generic ICMP rules for the LAN and WAN sides just saying permit all.  I have tried to do a packet capture to see what was going on but it was not much help.  I started a capture and then attempted to open a putty session to one of my external IPs that has a rule in to route to one of the backend servers.  These are the only two lines that were in the packet dump from that attempt.

      23:37:58.515509 IP (tos 0x0, ttl 128, id 20065, offset 0, flags [DF], proto: TCP (6), length: 48) 192.168.0.105.3437 > 208.xxx.xxx.14.22: S, cksum 0xaf4a (correct), 1961411612:1961411612(0) win 65535 <mss 1460,nop,nop,sackok="">23:38:01.526322 IP (tos 0x0, ttl 128, id 20124, offset 0, flags [DF], proto: TCP (6), length: 48) 192.168.0.105.3437 > 208.xxx.xxx.14.22: S, cksum 0xaf4a (correct), 1961411612:1961411612(0) win 65535 <mss 1460,nop,nop,sackok="">I also saved a copy of my config if that will help determine what the problem is.</mss></mss>

      1 Reply Last reply Reply Quote 0
      • GruensFroeschliG
        GruensFroeschli
        last edited by

        enable NAT reflection

        –> advanced --> NAT reflection

        We do what we must, because we can.

        Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

        1 Reply Last reply Reply Quote 0
        • W
          wilpig
          last edited by

          You are amazing.  Thank you very much!

          1 Reply Last reply Reply Quote 0
          • W
            wilpig
            last edited by

            Would this setting cause my internet terminal services clients to constantly need to reconnect?  Many of the sales people here just connect to our dns name for the terminal server when they are in the office or our for simplicity.  If they connect to the external name while in the office and leave the connection idle for about 45 seconds they have to wait while it says "reconnecting to host".  The memory usage on the status page shows 60% the states table is nowhere near full.  If I connect up to the local name which bypasses the firewall it does not have this reconnection problem.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.