[SOLVED] Can't access device in WAN
-
Do you still have Block private networks checked on Interfaces - WAN? Double NAT is generally not recommended if you can avoid it.
-
Negative. Disabled this option already and have created those rules on my own (one for 10/8, 172.16/12 and 192.168/16). The second one would interfere with my printer but I make use of the priorisation of the rules (the printer rule is on top of all other block-rules).
-
Is there a reason you aren't putting the ISP router into bridge mode and putting all your devices on pfSense to avoid double NAT? Wireless AP, I'm guessing?
-
Yes, you are right.
Honestly, I would like to try solving it this way. Switching the ISP router to bridge mode would be the last resort.
-
"So if you guys see anything I'm doing wrong "
IMHO that whole setup is wrong ;) So did you disable natting in pfsene and just routing/firewall? If sniff on the pfsense wan - then clearly your printer just never answered the ping. Or you have something else blocking it on your isp router, or you have routing issue where masks are wrong in putting pfsense wan and those devices on the same network?
If me I would put isp device in bridge mode and put everything on lan side of pfsense, even if you don't put in bridge mode and double nat. Use another interface or vlan switch and put your networks on the lan side of pfsense.
In this setup you have a routing problem, if your not doing nat. Does your isp router support routing, you would most likely end up with hairpin even if it does. If you nat you don't have to worry about routing but you have to forward any traffic you want to get to pfsense lan.
This setup is much easier if what you want to do is firewall between your lan devices - is to put them all on different lan segments behind pfsense. Then all you need is firewall rules, etc..
As to your multicast - that is most likely just your printer saying hey I am a printer - here is info if you want to print to me.. That sure is not going to work through your pfsense nat. You would have to setup IGMP proxy, etc.
-
Hey johnpos
I really appreciate your reply. Everything you've mentioned in your post was already checked. As of now, I simply think that the ISP router isn't able to handle my current network.
I just bought some wireless extensions for my pfSense so I can build up my network like you and KOM have recomendet.
I'm still quite curious why it was not working and which part of the network was causing these troubles. But I will try that later on and not just with a printer but with a notebook in the WAN network. This would give me the chance to capture the traffic on both ends which would probably reveal the problematic device.
Thank you johnpoz and KOM for helping me anyway. If I have news about this, I will write again in this topic to let others know about a possible solution/fix.
Cheers,
wenga -
"I simply think that the ISP router isn't able to handle my current network."
What .. So you checked what exactly.. I didn't tell you to check anything.. What part do you not understand about not seeing your printer answer to your pings.. Your not routing anything your not natting anything at this point.. You have a printer connected to a routers switch ports. So why did you not see an answer to your ping? My guess would be it didn't answer.
As to you printing to it, that has nothing to do with wan or forwarding rules. Your client behind pfsense would be the one creating the traffic to the printer - creates state on pfense, which allows printer return traffic to get back to your client.
So why is this thread marked solved.. I don't see anything in your post that says it is working now??
-
Sounds like you need to add a static route on the isp modem telling it where to find your 192.168.1.0 network. If that is possible?
-
This is marked SOLVED even though there wasn't a resolution to the problem.
-
@KOM:
This is marked SOLVED even though there wasn't a resolution to the problem.
Not true.
Sounds like you need to add a static route on the isp modem telling it where to find your 192.168.1.0 network. If that is possible?
Thank you a lot because it is probably exactly what you are saying. Unfortunately the ISP router is branded with custom software and there I cant see any routing table and can't modify it.
And there you have it. This is a solution, thus -> SOLVED.