pfsense and port forwarding help

I know this should be super simple thing to do but I've spent all morning on this and it's driving me nuts.

I've got a pfsense router with three networks - LAN, IOT and DMZ. DMZ has FW rules to fully open it up to WAN. On the DMZ network I have a web server set up on 192.168.0.50 and I'm trying to make this accessible to the internet. I also have a static IP set up with my ISP.

I've set up port forwarding but no joy. I can access the address internally but I can't even ping the external IP (I'm using my phone to test external access).

It's as though there is another setting somewhere that I'm overlooking. Any ideas?

 

What ISP are you with? Have you disabled CG-NAT (if possible)?

You shouldn't need port forwarding if the sever is in your DMZ?

 

Thanks for your reply, I'm with ABB and it looks like CGNAT is the problem. When I got the static IP from them they disable CGNAT but will still block ports 80 and 443, you need to contact them directly to have those unblocked.

I've just done that, so will see if will work in an hour or so.

 

That's not how pfSense works. Unlike some consumer routers, there is no such thing as a preconfigured DMZ network in pfSense and you need to manually configure the port forwards and firewall rules required.

Why are you specifying a gateway group in your WAN firewall rules? I can see you have multiple gateways but specifying the gateway in the WAN rules is unnecessary as pfSense knows what the gateway for the WAN network interface is. It's not like one of the internal LAN interfaces where you may want to create a firewall rule that redirects outbound traffic through a specific gateway. Here's an example WAN port forward rule which I use for my Plex server (note I'm using IP aliases instead of IP addresses and also restricting it to certain external IPs corresponding to the IP alias plex_workers).


If you use the option to create and associated filter rule then it will automatically create the corresponding WAN firewall rule. This is mine below:


These are how the rules look in the NAT port forward and WAN firewall rules

You won't be able to as you don't have a WAN rule to permit incoming ping requests to the WAN address so pfSense will drop them by default. You need to add one (example below with IPv4+IPv6 as I have IPv6 enabled)

That will help, but you may still need to make the changes above.

 

Ah ha! This was also the problem, I thought since I had VPN's I should specify the gateway, as I didn't want this going through the VPN. I put the gateway setting back on default and it's all working now.

Awesome stuff, thanks for your help, I was going nuts!

 

With pFsense try to keep the rules simple and only add things in that are required.