Port forwarding through Sonic VPN and pfSense

Advanced feature discussion, beta programs and unsupported "Labs" features.
10 posts Page 1 of 1
by pratik » Sun Jan 15, 2017 1:47 pm
Here is setup:
PACE router (DMZ) -> pfSense (openVPN client) -> advenaced tomato (WAN disabled, bridge WAN to LAN) -> All devices. Out of all one device has web server running at 8080, however I don't see web pages working.

Now I've configured port forwarding in pfSense and canyouseeme.org can verify the port is open. Furthermore I've tested PACE -> pfSense -> computer with web server. I can see web page properly.

So I'm guessing I'm missing some configuration in Tomato but can't figure out what. I thought as long as WAN = disabled and Gateway = pfSense IP, Tomato should be just an extender. Is that not correct? Do I need to setup something extra?

Oh I should mention in-network web pages work, only out of network I can't see them.
by Guest » Mon Jan 16, 2017 8:08 pm
Your port forward is going through the OpenVPN on PfSense? Maybe the packets are coming in through the VPN and being sent back out through the FTTN side or vice versa. That would explain why it worked on the local network. Not sure if that's the issue but could be. Best thing is to check your system logs in PfSense and you can also setup packet capture in pfsense. Maybe take tomato out of the loop for troubleshooting for now?
by drew.phillips » Tue Jan 17, 2017 8:57 am
I'd suspect Tomato is where the problem lies. Can you remove that and just install a switch?

Even if WAN to LAN is bridged, does that mean the WAN port has an IP? It's firewall is probably still in effect. So the outside world can see through pfSense that the correct port is open, but open doesn't mean it necessarily goes anywhere. I think it's open and then traffic is passing through and can't reach the destination (the computer behind Tomato).

Try for a moment to just connect that individual web server to the LAN port on pfSense and I think you'll be able to hit the page from the outside (just make sure all IP's and forwards are still correct).
Drew Phillips
Programmer / System Operations, Sonic.net
by pratik » Tue Jan 17, 2017 7:53 pm
Thanks,
1. If I connect PC to pfSense - port forwarding works correctly.
2. When I add PC after AP that's when the problem is.

Drew,
Yes Tomato router still has IP, I should actually try switch and bunch of wireless APs however right now I don't have all the hardware so was just trying to wing it with router in AP mode.
If possible I'll buy the hardware and report back
by Guest » Tue Jan 17, 2017 10:00 pm
You could put tomato in DMZ and point it to the PC.
by Guest » Wed Jan 18, 2017 6:43 am
Here's a script to disable the firewall in Advanced Tomato:

Code: Select all

iptables -F
iptables -F -t nat
iptables -F -t mangle
iptables -X
iptables -X -t nat
iptables -X -t mangle
iptables -Z
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT 
That said, using an AP or switch (non-router) behind pfSense is best. Or use a third party firmware (like Asuswrt-Merlin) that supports true AP mode.
by pratik » Thu Jan 19, 2017 9:14 am
Guest wrote:Here's a script to disable the firewall in Advanced Tomato:

Code: Select all

iptables -F
iptables -F -t nat
iptables -F -t mangle
iptables -X
iptables -X -t nat
iptables -X -t mangle
iptables -Z
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT 
That said, using an AP or switch (non-router) behind pfSense is best. Or use a third party firmware (like Asuswrt-Merlin) that supports true AP mode.
Thanks I'll check Merlin FW
by pratik » Thu Jan 19, 2017 9:16 am
Guest wrote:You could put tomato in DMZ and point it to the PC.
It gets complicated cause that PC has multiple VMs running web services and just DMZ would only get one IP address covered
by Guest » Thu Jan 19, 2017 3:55 pm
pratik wrote:
Guest wrote:You could put tomato in DMZ and point it to the PC.
It gets complicated cause that PC has multiple VMs running web services and just DMZ would only get one IP address covered
Why can't you have multiple DNS entries that resolve to the same IP? Then your web server can differentiate each request.
by pratik » Sat Feb 25, 2017 10:01 am
I just added Switch and connected servers to switch.
It is working correctly now. I probably need to setup proper gateway for my web servers (web server is accessible through internet but server itself can't access internet)
10 posts Page 1 of 1

Who is online

In total there are 31 users online :: 0 registered, 0 hidden and 31 guests (based on users active over the past 5 minutes)
Most users ever online was 999 on Mon May 10, 2021 1:02 am

Users browsing this forum: No registered users and 31 guests