Access Point doesn't like to be managed from outside subnet/VLAN

GPinzone

I set up a VLAN and put an access point on that subnet to access my IoT devices. Everything works as expected. I can access the VLAN subnet from the main subnet, but not vice versa. DNS works everywhere. I can ping the access point from both subnets. I can telnet to it from both subnets. I can connect to its web administrator on its own subnet, but I get a 404 error from the main LAN.

I understand the issue is not with pfsense, it's with the access point. There's something about the way it works that prevents me from accessing it outside its subnet. Is there anything I can do to get around this issue?

johnpoz

@gpinzone if your device doesn't have a gateway set then no you wouldn't be able to access it from another network.

If you can not put a gateway on the device, one work around is to do a source nat where traffic coming from some other network/vlan looks like its coming from the pfsense IP on the device network.

So lets say this AP is on your opt1 network lets say its IP is 192.168.1.1/24 on pfsense, and your device is say 192.168.1.2/24 on this opt1 network.

If you want to access it from say your lan which is 192.168.0.0/24 on the opt1 interface create an outbound nat that says any traffic going to 192.168.1.2 from 192.168.0.0/24 nat that to the opt1 pfsense interface 192.168.1.1

Now your device on 192.168.1.2 thinks your talking to it from 192.168.1.1 which is on its own network and it can talk to just fine.

edit: see I do that here

When my 192.168.9.100 box wants to talk to 192.168.2.42 it nats the traffic to pfsense wlan interface IP which is 192.168.2.253.. I did this to get around and in issue with that box being multihomed and having asymmetrical routing issues.. When I talked to it on its 192.168.2.42 address it was responding via its 192.168.9.x address vs using its 192.168.2.42 address and sending back the traffic to pfsense.

GPinzone

@johnpoz Thank you for that idea. I just tried it on my end:

The VLAN is called UNTRUSTED. It just so happens that the IP address of the PC on the main LAN is 192.168.69.100, so I wasn't just blindly copying from your example.

I'm still getting a 404 error when accessing 192.168.70.250 from 192.168.69.100.

johnpoz

@gpinzone well a 404 normally would be the device answering you say sorry can not find what your looking for.. If that the error your getting its not a really a "network" problem since you can clearly talk to it and it sends back a 404 that what your looking for isn't there.

GPinzone

@johnpoz AH! Sorry. I did not catch the change with the mode options.

I made the correct rule, but it was being ignored due to the mode. I changed it to hybrid an it works perfectly.

I also expanded the range to the entire subnet instead of a single IP address for the Source.

Thank you! It works.

johnpoz

@gpinzone were exactly were you seeing a 404 error? Does the device send a 404 if your not on its local network? That is a bit odd, I would think a 403 for denied would be more likely.

GPinzone

@johnpoz It was a 404. It's a Netgear router configured to be an access point. I think there might be some hardcoded behavior where it might try to redirect you to http://routerlogin.net that's gone haywire when used like this. Other people have confirmed this behavior with this particular router operating as an AP when accessed from a different subnet.

johnpoz

@gpinzone do you have it in some sort of AP mode it supports, or you just turning off its dhcp server and connecting it to your network via one of its lan interfaces.

Most of those soho wifi routers do not allow you to set a default gateway for its lan interface.. So curious how you could or would get anything back from it.. Ie your 404 error.

Glad you got it sorted.

GPinzone

@johnpoz Yes. it's in AP mode. That option shuts off a lot of the typical router functions and requires the pfsense DHCP server to give it an IP.

I think the device has some kind of hardcoded security "feature" or the web server code is just buggy. Knowing Netgear, it's probably the latter, but it could be some kind of ham-handed way to add some friction to hackers or nosy users. I have no idea.

It's not a routing issue since the problem is only with the web-based administrator interface. I can telnet and ping the device without the NAT translation.