Port forwarding not working [SOLVED]

Orvo · May 4, 2016, 6:54 PM

Hello everybody,

New to pfSense, so just getting a hang of it. Used dd-wrt until recently on some tp-link routers, until I decided it's time to move forward and start building a home-lab.
This is my network configuration so far:

==========================
192.168.1.10 - ISP modem/router

LAN side DHCP server active
==========================
||
||
==========================
192.168.1.20 - pfSense WAN interface
get's it's LAN IP from the ISP modem through DHCP (MAC binding active)

192.168.2.20 - pfSense LAN interface

DHCP server active for the entire LAN
LAN IP static
==========================
||
||
==========================
management switch
==========================
||
||
==========================
192.168.2.2 - WiFi AP 1 (TP-Link router setup as AP)
192.168.2.3 - WiFi AP 3 (TP-Link router setup as AP)
192.168.2. xxx - printer, TV, Plex server, NAS, etc.
192.168.2. xxx - ESXI host
192.168.2. xxx - various VM's
==========================

pfSense is running in a VM on a esxi host.
I'm having trouble with port forwarding in this configuration, as it seems the rules have no effect.

I think the problem is the ISP modem/router that sits before the pfSense server and is on a different subnet.

Is this a bad design ? Should I put the ISP router on the same subnet ?

Any help would be appreciated !

kpa · Apr 17, 2016, 10:21 AM

Ideally you would replace the ISP router with your pfSense system. If that's not possible you can use the DMZ option of the ISP router to forward all traffic to the WAN address of the pfSense system. Make sure you untick the "Block private networks" -option in the WAN interface set up page if you have to keep the current ISP router in place.

Orvo · Apr 17, 2016, 2:45 PM

Hi and thanks for the reply !

Yes, I would very much like to do just that, but there's no DMZ settings on the modem itself.
I also cannot get rid of it completely as the WAN connection on the modem is coax and I have no idea if there's a PCI card for this purpose.
Also … the connection itself is not PPPOE or anything similar, it just connects through DSL based on some unique identifier on the modem itself.

My ISP is Kabel Deutschland (Vodafone) and my modem/router is a CBE CH6640E Wireless Gateway.

CBN CH6640E Specifications:

Advanced firewall for enhanced network security from undesired attacks over the Internet.

It supports stateful-inspection, intrusion detection, DMZ, denial-of-service attack prevention, and Network Address Translation (NAT).

Although DMZ is listed on the spec sheet, it is nowhere to be found on the modem's config page itself.

So it seems that with my current config there is no port forwarding possible …

AllGamer · Apr 18, 2016, 6:02 PM

Hi Orvo

Seems like we have a similar problem, I'm also troubleshooting the same thing.

However in my case, if I connect my web server (ESXi) directly to the ISP modem, then I can reach my ESXi without any problem.

Are you able to access any of your devices from the internet, if you plug them in directly to your DSL / Cable Modem ?

Orvo · Apr 18, 2016, 6:50 PM

Hi AllGamer,

Yes, I'm sure I could reach them from outside without any issues.
In that case however the devices on my LAN would get a 192.168.1.x IP, on the same subnet with the ISP router.
Now my devices are on the 192.168.2.x subnet, with IP's served by the pfSense DHCP server.

Still looking for a solution ….
Let me know if you come up with something.

Orvo · May 4, 2016, 6:54 PM

And the answer in my case was setting the modem in bridge mode.
For KD customers it's a fairly simple online activation process.
Now my pfSense's WAN gets the public IP directly.