Accessing my internal network from the Internet



  • I have installed a pfSense device in front of my cable modem. The pfSense device is itself in front a my NETGEAR router. My internal network is behind my NETGEAR router. In this network, I have a machine that runs a ssh service. From within my internal network, I can ssh to this machine. I would like to be able to access the ssh server from the Internet. Before I installed the pfSense device in front of my router, I used to be able to access the ssh server, with the port forwarding rule configured on my router. But since I have added the pfSense device, I can't. I wonder if I need to configure the pfSense to let traffic coming from Internet on specific ports to go through. Do I need to configure NAT? Do I need to configure firewall rules?


  • LAYER 8 Netgate

    Why the netgear?



  • The Netgear is the router to which all the devices on the internal network are connected to. The pfSense is installed on a  PCEngine Apu1d4 system which has one WAN port and one LAN port. The cable modem is connected to the WAN port and the router is connected to the LAN port. My understanding is that to get to the device in the internal network, I need to apply a port forwarding rule in the router and need some sort of configuration on the pfSense system.


  • LAYER 8 Netgate

    Are you just using the switch in the netgear or are you conncting the netgear's WAN port to pfSense?

    There is really no reason to use two routers. If you insist on doing it that way everything you do like this will be more complicated.



  • I am connecting the WAN port of Netgear tp pfSense. I understand the added complexity, but on the other end, I need to understand how port forwarding works on the pfSense. I don't seem to be able to get that to work.


  • LAYER 8 Global Moderator

    It works just like any other router.. .But now you have a double nat.. And what are the networks involved?  For all we know a triple nat since what IP is on pfsense wan??

    You have this

    internet publicIP (pfsense) privateIP –-- privateIP (netgear) privateIP2 ---- privateIP2 device

    So if you wanted something to get to device.. You would have to fortward on pfsense to the privateIP on the netgear router, and then on the netgear forward to the device.  And even these networks happen to be the same then yeah shit not going to work ever, etc..

    You do understand that when you connect a different device to your cable modem, your going to have to reboot your cable modem and your public IP is now going to be something different..



  • Definitely a newbie here, but my vote is dump the Netgear router and just use a switch after the Psense. At the very least, disable DHCP in the Netgear and connect Pfsense LAN to Netgear LAN. That will probably leave you with 3 LAN ports on the Netgear. Need more? Then dump the Netgear router and get a switch.

    I just replaced my FIOS router with a Pfsense device followed by a managed switch so I can run several VLANs. So far, I’m extremely impressed with the ease of use and the capabilities built into Pfsense. Also, this community is very helpful. I started out looking at DD-WRT. But, that community seems to be full of Linux command line jocks who didn’t even bother to answer my simple newbie questions.


  • LAYER 8 Global Moderator

    Yeah if you want to leverage your old negear as a switch or a AP with some switch ports thats fine.. But see real no reason for it to also be doing nat.  That is what you have pfsense for now ;)

    And pfsense port forwarding functionality is going to just blow away anything your going to see in any soho router that is for damn sure.  And to be honest its really like couple of clicks to get a port forward working.

    Let me count them.
    firewall, nat
    Add
    fillout out dest port, IP of where you want to forward, port
    Save

    So like 3 clicks and putting in your info..  If that takes you more than 15 seconds your really doing something wrong ;)  Quite often all you really have to put in is the IP you want to forward to and IP.  It defaults to the wan and tcp, and to auto create your firewal rule for you.  This to be honest is way easier than many a soho routers port forwarding.  While at the same time giving you lots of power and advanced features if you so need it, etc.


Log in to reply