I have the following setup. I have my ISP router that would have my public IP address on the inside and my private address inside:192.168.1.1. From here I have only 1 connection to pfsense which have 4 nics installed, WAN, LAN, DMZ and Wifi. My WAN range is 20.0.0.0/24 where I have 1 web server I want to expose to the internet. This server is 20.0.0.2. I forwarded port 443 on my router to 192.168.0.4 (IP address of NIC in pfsense connecting to the WAN. Then I have forwarded port 443 WAN to 20.0.0.2 in my DMZ. I make use of DynDNS. I still can’t access the server from the internet. See image of my network layout.
Do not use 20.x.x.x as it is not an RFC 1918 range
I can change the range, but I would still have the problem of not being able to connect from the outside as it seems that my port forwarding is not working. I would really want help on sorting to the port forwarding from my Router to my Pfsense box to my web server in the DMZ. Thanks you so much.
When you have pfsense double NAT, make sure you are allowing RFC 1918 networks on the WAN.
https://docs.netgate.com/pfsense/en/latest/firewall/rule-methodology.html#block-bogon-networks
The only way I could make it work was to put pfSense in the Router’s DMZ and then forward the ports with pfSense.
Can I forward port straight from 192.168.0.1 to 20.0.0.2 from Pfsense, will that work? Would I then also have to add some sort of a gateway? I am absolutely new to Pfsense hence my “stupid” questions.
Do you have to have the ISP router? Usually you can replace them with a purchased stand alone router or, in my case with a fiber connection, set it passthrough mode. This makes it so pfsense is facing the outside world.
What exactly are you trying to get give outside access too? Usually most servers need specific ports forwarded to them to gain access. Also, remember if you are just opening a port, anyone on the internet can access the server. Great for a website or game server, but not so great for most other things. I just am making sure I am reading this right and you actually are trying to allow web traffic to a self hosted site.
I have a web server in my DMZ that I want the world should see. I do have an ISP router but it’s very specific because my TV works through Fibre and the router is specifically configured for that. Without the router I would not have any TV. The ports want to forward are, 443, 22 and 10000.
my scenario is similar to that of “wdeswardt”.
Is there a “best practice” what to consider if you don’t want to use MASQ on pfSense ? Routing entries for the networks that are attached to the ISP firewall are already configured.
I see here the entry “Disable Outbound NAT rule (No Outbound NAT rules)” as given ? Unless there is experience not to use this ?
Seems like this is getting nowhere fast:(