Resolving Port Forwarding Issue With pfSense
Recently, I had been having issues with granting remote access to some of my home-hosted services. This is how I resolved it.
Below is a rudimentary diagram of my home network setup, in which I have a "home hub" for internet access provided to me by Vodafone, but I have all of my network behind a separate pfSense router because I just don't trust ISPs not to have exploits in their hubs, or deliberately grant third-parties access. I even make sure to have the wireless disabled.
Unfortunately, the Vodafone hub cannot be configured as a pass-through bridge. Thus it has to have a local IP, and internet traffic from the outside will be NAT translated into this local IP before it hits my pfsense router. If there was a way to have pfsense connected directly to the internet, that would be preferable, but trying to work with ISPs to do this can be a real pain and this is a good "fallback setup" that will always work with any ISP.
I had configured the Vodafone hub, to send all traffic through to the pfsense router, but even after having set up port-forarding rules on the pfsense router, traffic still wasn't able to get through for some reason.
Luckily, one can usually figure out by looking at the firewall logs by going to Status > System Logs as shown below:
Then click on Firewall (1), and click on the Time column (2) so the latest entries appear at the top (I don't know why this isn't the default). Now if you try to trigger a connection , and refresh, the rule that is blocking you should show up. In this case, I can see it is the rule on the WAN interface that blocks private networks.
Adding Pass Rule
You may be tempted to click the plus icon in order to add a rule to let this traffic pass:
However, if you try to connect, it will still fail. If we view the firewall rules, we will see our added rule (1), but the WAN rule that blocks private networks is above it and will be evaluated first, blocking the traffic.
Unfortunately, we cannot drag the rule (or any rules for that matter), to be above these two WAN rules. Thus, what we need to do is go to the WAN interface, and uncheck that rule. You can quickly go to the relevant page, by clicking the cog icon by the rule.
Then scroll to the bottom of the page and make sure the indicated checkbox is unticked (1), before clicking Save (2), and then apply changes.
Now if you try and connect, it should work.
Optional - Manually Block Private Networks
Our problem was that we couldn't move our "pass" rule to be above the private network rules. However, we can recreate the private network rules by manually adding several blocking rules, one for each private network CIDR, and then just making sure that our pass rule is evaluated before these, like so:
I've shown how one can configure the pfSense router to allow traffic from your home NAT. This will probably be good enough for most people and is a quick and easy solution. However, I don't like having to remove that firewall rule blocking private networks, so if you have the time and the knowledge, I would prefer a setup whereby one keeps that rule in place, and makes use of a combination of a VPN and a reverse proxy, whereby a port forwarding server inside your network connects to a VPN server in the cloud. Then one can add the relevant port forwarding rules to both servers, in order to gracefully bypass any number of NATs and firewall that would otherwise get in the way.
First published: 7th April 2022