Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    LAN and WIFI standalone with 1 cross-access IP

    Scheduled Pinned Locked Moved
    DHCP and DNS
    2
    5
    988
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      ChamPro
      last edited by

      I gave up on using the wireless on my alix 2d13… so I bought a standalone AP.

      I have 3 interfaces setup:

      • WAN (DHCP)

      • LAN (192.168.2.1)

      • WIFI (192.168.4.1)

      DHCP servers are setup for LAN and WIFI in their own subnets.
      The DNS forwarder is setup for LAN and WIFI, options checked are:

      • Register DHCP leases in DNS forwarder

      • Register DHCP static mappings in DNS forwarder

      • Do not forward private reverse lookups

      Though oddly, nslookup doesn't seem to resolve on either LAN or WIFI. Connections to the WAN correctly work from LAN and WIFI.

      What I'm trying to do is have one static address on the LAN accessible on the WIFI (a file server). I have the firewall rules in to allow it and I don't see it getting blocked in the logs.

      The thing I can't figure out is that the addresses on the LAN can reach the ones on the WIFI, but the ones on the WIFI can't reach the ones on the LAN.
      IPv4+6 TCP/UDP * * ManagementAccess 80 (HTTP) * none Deny access to firewall management from WIFI HTTP
      IPv4+6 TCP/UDP * * ManagementAccess 443 (HTTPS) * none Deny access to firewall management from WIFI HTTPS
      IPv4 TCP WIFI net * Server 22 * none Allow SSH WIFI to LAN
      IPv4 * WIFI net * LAN net * * none Block all WIFI to LAN
      IPv6 * WIFI net * LAN net * * none Block all WIFI to LAN IPv6
      IPv4 * WIFI net * * * * none Allow WIFI to WAN
      IPv6 * WIFI net * * * * none Allow WIFI to WAN IPv6

      A side note, I also have access to the pfsense web GUI blocked from WIFI.

      It seems like a DNS issue. Do I need to create a bridge… or can I create a static mapping for that one IP?

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        Can you ssh to the server IP address?  No, you don't need a bridge.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • C
          ChamPro
          last edited by

          When accessing devices only on WIFI, nslookup and ping work.
          When accessing devices only on LAN, nslookup and ping work (though not nslookup on the static IP entries, which includes this server).
          I can ping and do nslookup going from LAN to WIFI.
          I cannot ping and do nslookup going from WIFI to LAN (SSH does work either).

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            IPv4+6 TCP/UDP  *  *  ManagementAccess  80 (HTTP)  *  none      Deny access to firewall management from WIFI HTTP   
            IPv4+6 TCP/UDP  *  *  ManagementAccess  443 (HTTPS)  *  none      Deny access to firewall management from WIFI HTTPS   
            IPv4 TCP  WIFI net  *  Server  22  *  none      Allow SSH WIFI to LAN
            IPv4 *  WIFI net  *  LAN net  *  *  none      Block all WIFI to LAN   
            IPv6 *  WIFI net  *  LAN net  *  *  none      Block all WIFI to LAN IPv6   
            IPv4 *  WIFI net  *  *  *  *  none      Allow WIFI to WAN   
            IPv6 *  WIFI net  *  *  *  *  none      Allow WIFI to WAN IPv6

            Those rules look good regarding ssh access to server, blocking access to LAN, and passing all else.  But I don't see rules passing DNS or ICMP (ping).

            ![Screen Shot 2014-10-07 at 11.12.58 PM.png](/public/imported_attachments/1/Screen Shot 2014-10-07 at 11.12.58 PM.png)
            ![Screen Shot 2014-10-07 at 11.12.58 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2014-10-07 at 11.12.58 PM.png_thumb)

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • DerelictD
              Derelict LAYER 8 Netgate
              last edited by

              Looking at it again, you don't have the block all dest local_nets_v4 like I do so your final pass rules should catch DNS and pings.

              Please let us know what the dns configuration is.

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.