how to allow access from wan subnet

jacobosbourne

First my networking knowledge is low, which is why I am practicing on pfsense.

My pefsense box wan is on 192.168.1.0 subnet. This subnet is my regular home network. I want devices on 192.168.1.0 subnet to communicate with devices on my pefsense lan which is on 192.168.5.0 subnet.

I am not sure how to do this.

I hope you understand what I am trying to do.

NogBadTheBad

@jacobosbourne Are you trying to route traffic from 192.168.1.0/24 to the LAN behind your pfSense router.

If it’s internet traffic to your LAN subnet your problem is the WAN router is using a non routable IP address.

I’m guessing you have another router upstream.

Can you put the upstream router into modem mode?

jacobosbourne

@nogbadthebad I can’t change it, I have other devices receiving ips from it.

All I really wanna do is allow my main computer which is 192.168.1.17 (same subnet as wan on pfsense) communicate with devices on 192.168.5.0 subnet (pfsense lan subnet)

NogBadTheBad

@jacobosbourne Disable Block private networks and loopback addresses via Interfaces -> WAN its at the bottom.

Add a WAN rule to allow 192.168.1.0/24 to LAN net.

Add a static route on your router connected to the internet for the LAN network pointing to your pfsense WAN interface

Then you'll need have a look at nat or disable it.

Does 192.168.1.17 have two network ports might be easier to dual connect it if it has.

https://www.netgate.com/resources?type=Videos

SteveITS

@jacobosbourne On Interfaces/WAN uncheck "Block private networks and loopback addresses." Then ensure you have a NAT rule on WAN allowing it.

johnpoz

@nogbadthebad said in how to allow access from wan subnet:

Add a static route on your router connected to the internet for the LAN network pointing to your pfsense WAN interface

This almost never going to work with just a soho wifi router because they are going to have hosts on this network, and its not a true transit network - they will end up with asymmetrical traffic flow.. If all you have is a soho wifi router and no way to actually create a transit network. Your best best it to just let pfsense downstream nat. And use port forward, and yes you would have to turn off the block rfc1918 network on pfsense wan.

Best is to put pfsense at the edge and then use your old wifi router as just an AP then you can have multiple networks behind pfsense.

NogBadTheBad

@johnpoz said in how to allow access from wan subnet:

@nogbadthebad said in how to allow access from wan subnet:

Add a static route on your router connected to the internet for the LAN network pointing to your pfsense WAN interface

This almost never going to work with just a soho wifi router because they are going to have hosts on this network, and its not a true transit network - they will end up with asymmetrical traffic flow.. If all you have is a soho wifi router and no way to actually create a transit network. Your best best it to just let pfsense downstream nat. And use port forward, and yes you would have to turn off the block rfc1918 network on pfsense wan.

Best is to put pfsense at the edge and then use your old wifi router as just an AP then you can have multiple networks behind pfsense.

Yup, he could add the static route on 192.168.1.17.

johnpoz

@nogbadthebad said in how to allow access from wan subnet:

Yup, he could add the static route on 192.168.1.17.

Yeah if your going to have hosts on your transit you would need to do host routing.. Its a hack, not a true setup anyone should want. When its simple enough to set it up correctly.

To be honest you would almost never actually want/need a downstream router, your going the wrong direction that way to be honest. Just replace your edge with pfsense, use your old wifi router as just an AP as the transition phase until you can get AP that allow vlan and switches that can as well if you want to setup a real network ;)

Yes in a large enterprise network you would see routing done internally all the time vs just at the edge.. But in a small network or home or home with lab setup just doesn't really make sense other than a learning experience. And if your wanting to learn, then do it correctly with a transit network.. Sure if you want to play with why it doesn't work when you have hosts on a transit and the asymmetrical traffic flow that will result - sure have at it.. But I would set it up correctly, then break it with putting hosts on your transit and see why the asymmetrical flow is not good when you have stateful firewalls also in play..