WAN TO LAN

jhmc93

@patient0 can u help?

SteveITS

@jhmc93 said in WAN TO LAN:

So port forward on the ISP side or the PfSense side?
If so how would the rule be done?

If you want only the ISP router LAN to have access then you would not want to forward on the ISP router also, since that would let the entire Internet in to the pfSense WAN.

NAT rule:
source: WAN network
destination: WAN IP
destination port: whatever unique port you want, say 2222
redirect target IP: your server on LAN
redirect target port: SSH/22

then connect to pfSense-WAN:2222.

https://docs.netgate.com/pfsense/en/latest/nat/port-forwards.html#adding-port-forwards

jhmc93

@SteveITS what have i done wrong:

SteveITS

@jhmc93 NAT IP is the IP of the PC on LAN.

Dest Address is the IP of pfSense WAN.

You would SSH to pfSense WAN port 2222 and it forwards that to NAT IP port 22.

jhmc93

@SteveITS NAT IP is the pc on ISP LAN or the pfssense LAN? if so them rules are right and I'm getting nothing

patient0

@jhmc93 the NAT IP is the IP of the PC on the pfSense LAN.

Devices in front of the pfSense WAN can't see the device on the pfSense LAN, because of NAT. All they can see is the pfSense WAN IP, nothing behind it.

Port forwarding works by setting up a rule for e.g. "if a request to pfSense WAN to port 2222 arrives, redirect it to NAT IP on NAT port.

Dest. Address -> pfSense WAN IP (in the ISP router network)
Dest. Ports -> 2222 looks good
NAT IP -> IP of client on pfSense LAN you want to access
NAT Port -> TCP/22 in case of SSH

jhmc93

@patient0 my bad ubuntu machine had ssh disabled. All working, Question, how will I be able to set the rule so it lets me use my traefik dns records stored on pihole

patient0

@jhmc93 said in WAN TO LAN:

Question, how will I be able to set the rule so it lets me use my traefik dns records stored on pihole

Similar to the SSH, you would have to forward DNS request to the pfSense WAN.
Let's say you forward port UDP/10053 on pfSense WAN to port UDP/53 on pihole. That way clients can query the pihole on pfSense-WAN:10053 and get the result from pihole.

BUT knowing the IP (IPs?) of the Traefik in the pfSense LAN won't be of much use for you. You get back pfSense LAN IPs and you'll need port forwards again to access it. (I looked up traevik -> cloud native application proxy) Of course you can forward a range of port to it.

jhmc93

@patient0 So
traefik runs on pfsense LAN on IP: 10.84.62.5
Pihole instance is running on ISP LAN IP: 192.168.0.8
So my Pfsense has 192.168.0.8 as the dns server and then in the A record it points to my traefik IP,
hope this helps in helping me do a rule

patient0

@jhmc93 said in WAN TO LAN:

So my Pfsense has 192.168.0.8 as the dns server and then in the A record it points to my traefik IP,
hope this helps in helping me do a rule

Yes, is understand. But if a client on the ISP LAN asks the pihole for the traefik IP, it get's back a pfSense LAN IP, no - something like 192.168.0.x? What use is that IP for a ISP LAN device? It can't access it anyway, the whole 192.168.0.0/24 network is hidden behind the NAT of the pfSense?

jhmc93

@patient0 So my pihole that runs on ISP LAN is pointing to my Traefik on the PfSense LAN but... the IP of the Traefik instance that the A record is pointing to is a Tailscale IP

patient0

@jhmc93 said in WAN TO LAN:

pihole that runs on ISP LAN

Ah, sorry I got that mixed up, I'm old and almost senile :/

the IP of the Traefik instance that the A record is pointing to is a Tailscale IP

Okey, I have no idea how to make that work.

Tailscale has it's own DNS, MagicDNS or something, no? And the Tailscale IPs are 100.x.x.x IPs, no? Is Tailscale running on traevik itself?

pfSense has no route to that 100.x IP, it seems easier to use a Tailscale DNS if possible, but that is not something I know anything about.

jhmc93

@patient0 what if I changed it to the local IP on the A record, the rule u sent above could that be doable if the redirect ip was the pihole instance?

jhmc93

@patient0 did that make sense

patient0

@jhmc93 said in WAN TO LAN:

what if I changed it to the local IP on the A record, the rule u sent above could that be doable if the redirect ip was the pihole instance?

Mmhh, the issue would still be that the local IP is of the pfSense LAN (10.84.62.0/24?) and of no use for ISP LAN devices.

If you setup port forwarding on the pfSense to traevik, let's say port 9000 to 9500 will be forwarded to traevik, then the A record for traevik on pihole would be the pfSense IP 10.84.62.5.

I realize that I don't know how Traefik works, does it work with ports to choose to which service to forward or with URLs/paths?

jhmc93

@patient0 all ports are set in traefik config so local.example.com points to port 9000 in the traefik config so when u add the dns cname record it goes through pihole and traefik resolves local.example.com to port 9000 that's set in traefik yaml config

also are u saying due to my pihole being on my isp lan it wont connect to my traefik ip on the pfsense lan?

jhmc93

@patient0 r u there?

patient0

@jhmc93 Nope, it was nighttime.

See, I don't think I'll be able to help, I do lack the patient.

I read through your other thread "Local DNS Records on different subnet" (start in Nov '24) and @johnpoz and @stephenw10 know a lot more about networking than I do (plus I'm not even sure you are real anymore ;) , although persistent).

Up to now on this thread:

• ISP LAN 192.168.0.0/24
• pihole on ISP LAN IP 192.168.0.8
• pfSense WAN IP 192.168.0.? (192.168.0.75?)
• pfSense LAN network 10.84.62.0/24
• pfSense LAN IP 10.84.62.1 (correct?)
• Traevik server on pfSense LAN IP 10.84.64.5

But earlier you posted a screenshot of a NAT port forwarding rule to IP 70.86.90.2. What on earth is that IP? First it's a public IP and ... just don't do that. And besides where does that network come from?

On the other thread you suddenly show a WAN firewall rule with destination 192.168.11.11 and a bit later you set a route on your Windows 11 client but for network 70.86.9.0/24.

You really making your life and ours more difficult than necessary.

I don't know, invite some networking friend of yours to your home and set it up with him/her.

General: the routing solution that @stephenw10 suggested is probably better anyway since the DNS A record your pihole would return is correct for ISP LAN clients and pfSense LAN client.
With NAT you don't have to set a route on the clients but the pihole has to conditionally answer. For ISP LAN clients with the pfSense WAN IP and for requests from pfSense LAN (via pfSense WAN IP) with the 'real' Traevik IP 10.84.62.5. But I'm not even sure it would work.

jhmc93

@patient0 so, 79.86.90.1 is my test machine to see if I can get it going before I put it in production on my 10.84.62.0 lan pfsense,
Wouldn’t a rule in port forward.
Like what u did above but it redirects traffic to my trafeik ip from my pihole instance on my isp lan?

jhmc93

@patient0 guess it wouldn’t work then