Reach LAN from WAN through ISP router and VPN
-
Hello,
I have a ISP router that I use as main router, I want to put a portion of my LAN behind a netgate firewall and be completely accessible via VPN and only one device locally from my ISP router LAN, is there a way?
-
@kilogica
I assume, you plan to run the VPN server on pfSense itself.
So the setup is simply straight forward on pfSense and the devices behind it.
On the ISP router you have to forward the VPN packets to pfSense WAN IP.In the WAN interface settings of pfSense you have to uncheck "Block private network" to get access from the routers LAN.
And for accessing the network behind pfSense, you will need to add a static route to the specific device and additionally add a pass rule on pfSense WAN to permit it.
Another option is run a VPN as well and connect to pfSense WAN IP. -
@viragomann Thanks!
So basically once the VPN is set and I've forwarded the traffic on my ISP router (maybe with DMZ) all I have to do is add a static route and a pass rule both on pfSense, right?
I'm sorry but it's all quite new to me and my knowledge is pretty much basic
-
@kilogica
For setting up an OpenVPN server on pfSense you can run the wizard. It does almost all necessary settings automatically, including the firewall rule on WAN to permit VPN access.
But yes, on the ISP router you have to forward the traffic or even set pfSense as DMZ / exposed host or whatever it is called on the router.The static route would be necessary on the device in front of pfSense to access the LAN behind it, not on pfSnese.
Without that the device would send traffic destined to the LAN behind pfSense to the router.
But as mentioned, you can also connect to the VPN server to access the inner LAN without adding a static route. -
@viragomann Oh, I see, thanks!
So, for example:
My ISP subnet is 192.168.1.0/24
My pfSense LAN is 192.168.2.0/24
My pfSense WAN IP address is 192.168.1.125If I want to reach the server with IP Address 192.168.2.10 from a PC on ISP subnet I have to:
set a static route for 192.168.2.10 through 192.168.1.125 as gateway and add a pass rule on WAN firewall for traffic coming from 192.168.1.0/24 subnet.
Otherwise I can use VPN for both remote access and local access.
Is that correct?
Thank you a lot for your help
-
@kilogica said in Reach LAN from WAN through ISP router and VPN:
If I want to reach the server with IP Address 192.168.2.10 from a PC on ISP subnet I have to:
add a pass rule on WAN firewall for traffic coming from 192.168.1.0/24 subnet.I would be careful with that rule and not allow access to the whole subnet 192.168.1.0/24.
Some consumer routers does masquerading on forwarded traffic, so that all packets from the internet get the routers internal IP. Hence with that rule you would allow anything in from the internet. So either check how your router handles forwarded traffic first or restrict access to specific IPs.
If there should have multiple IPs access you can add an Firewall > Aliases > IPs and add all desired IPs to it. This alias can be used as source in the firewall rule then.set a static route for 192.168.2.10 through 192.168.1.125 as gateway
You can set the static routes for the whould subnet behind pfSense at once, assuming you want to access multiple devices.
-
@viragomann ok, thanks.
No I want to access only to one device through LAN, so set the static route only for one IP address is fine for me.
Maybe I'll let in only a couple of devices and leave all the rest to a VPN.
Otherwise, could it be safer if I'll leave the router IP out of the rule? If I understood the basics, masquerading makes all the packets forwarded as they're coming from my ISP router IP, if I block the access to the LAN behind pfSense to that specific IP it may be good, right?
-
@kilogica said in Reach LAN from WAN through ISP router and VPN:
Otherwise, could it be safer if I'll leave the router IP out of the rule?
As there is no need to give the router (or the ISP coming in through it) any access to your network that's a good decision in my opinion.
If I understood the basics, masquerading makes all the packets forwarded as they're coming from my ISP router IP, if I block the access to the LAN behind pfSense to that specific IP it may be good, right?
This all depends on how your router works, if it does masquerading on inbound traffic or not. If it does there should be an option to disable it, but I don't know.
Imagine it does, then the block rule would block forwarded VPN traffic as well. So you will have configure your rules in a proper order to pass what you need and block the rest.So just check out if the router does masquerading. Forward traffic to pfSense WAN IP. Then start a packet capture on pfSense WAN (Diagnostic > Packet Capture) and trigger a traffic from outside.