PfSense WAN in subnet with inbound communication from WAN
-
Pinging from WAN to LAN over pfSense is straight forward.
Just the following (already mentioned) options has to be checked.-
interface config WAN, LAN: IP, mask
-
WAN interface settings: disable "block private networks"
-
a firewall rule to permit the ping
If these settings are correct it should work.
You say you have done these settings, but we can not validate, since you post only descriptions. Better to post screenshots of your settings.
Are you able to ping pfSense WAN IP and LAN IP from 172.16.0.0/24?
The outbound NAT only takes effect on outgoing connections from LAN to WAN. I know that this isn't a cause here.
To the best of my knowledge, it's all set up as described. I tried to pint 172.16.0.1 from 172.16.100.100, however for some reason that didn't work so I'm even more confused now (Edit: Pinging out to 172.16.0.1 seems to work now, the machine I was doing it from was set to static ip, changing it to dhcp seemed to work).
That's a good point though about screenshots. All other settings I have left as default from the install wizard. Here they are:! pfSense settings (172.16.100.222):
! Internal router settings (172.16.0.1):
-
-
Okay, the settings look fine.
I think, I'm tired, I haven't consider the following point:
Since your computers in group A has set their default route to 172.16.0.1, you need a static route on each for the network behind pfSense pointing on pfSense WAN address to reach the hosts. Otherwise packets are sent to 172.16.0.1. -
Okay, the settings look fine.
I think, I'm tired, I haven't consider the following point:
Since your computers in group A has set their default route to 172.16.0.1, you need a static route on each for the network behind pfSense pointing on pfSense WAN address to reach the hosts. Otherwise packets are sent to 172.16.0.1.I don't quite understand, I cannot set static routes on the computers in group A, only on internal router and pfsense can I set static routes.
Did another ping test, and seems now I can ping 172.16.100.1 from a device in group A (172.16.0.1/24).
No luck getting through to an actual machine in group B.EDIT: So, sort of good news. Since taking the test machine in 172.16.100.1/24 off static ip and setting it to dhcp I can now ping to and from it across group A and B. Odd that it completely fails with static ip but not dhcp.
However I cannot do anything other than ping so far, tried rdp and smb but they didn't work. -
Any computer OS is capable to set a static route. Without it your setup won't work as you intend.
The only other options are:
NAT. Assign an virtual IP of 172.16.0.0/24 for each host to pfSense WAN interface and access the computers via these.
Bridging pfSense WAN-LANIn both cases each computer in B get an IP in 172.16.0.0/24.
If you try to realize a routing environment you have to set static routes.
-
Any computer OS is capable to set a static route. Without it your setup won't work as you intend.
The only other options are:
NAT. Assign an virtual IP of 172.16.0.0/24 for each host to pfSense WAN interface and access the computers via these.
Bridging pfSense WAN-LANIn both cases each computer in B get an IP in 172.16.0.0/24.
If you try to realize a routing environment you have to set static routes.
Yeah, that's why I was using the term computer loosely, sort of things I was including was IOT type stuff, cant set routes on those. Will only actually be one computer in group A that has access to group B, the rest that need access will be 'devices'.
I'll give your suggestion of NAT a try and see if that helps.
Edit: actually, just looked at the virtual ip stuff in firewall, way over my head atmo.
-
For NAT you have to assign a virtual IP of type IP alias in Firewall > Virtual IPs.
After you may also use NAT 1:1 to map the whole network segment. -
For NAT you have to assign a virtual IP of type IP alias in Firewall > Virtual IPs.
After you may also use NAT 1:1 to map the whole network segment.Would that be virtual ip alias of, for instance, 172.16.0.15 in the virtual ip setting, or 172.16.100.15?
-
The aliases have to be in 172.16.0.0/24.
For instance, you want to add aliases for
172.16.100.15
172.16.100.22Assumed the respective address is not engaged in 172.16.0.0/24, add
172.16.0.15
172.16.0.22Type: IP Alias
Interface: WAN -
The aliases have to be in 172.16.0.0/24.
For instance, you want to add aliases for
172.16.100.15
172.16.100.22Assumed the respective address is not engaged in 172.16.0.0/24, add
172.16.0.15
172.16.0.22Type: IP Alias
Interface: WANOkay, makes sense, then with NAT 1:1 I have external ip 172.16.0.1 with internal ip and destination set to any?
(would like to take this moment to say a big thank you for helping me!)
-
In 1:1 you can set the NAT for the whole subnet if you enter 172.16.0.0 at "External subnet IP" and at "Internal IP" select network and 172.16.100.0/24
It doesn't matter if this also includes IPs assigned to computers in group A, since you haven't add an IP alias for these addresses to WAN.