need WAN Network to access LAN network and vise versa

seramis · Oct 19, 2019, 7:59 AM

Hi all,

I need my WAN network/devices 192.168.254.0/24 to access or ping LAN network/devices 172.1.1.0/24 and vise versa.
I will be using these for AP, LAN network for Local Wifi(Like Internal Network via Wifi) and VLAN30 network for Guest Wifi.
I need 172 network to be able to communicate with 192 network for DHCP Service because I use filter profiles.

Can anyone tell me what i need(NAT? Firewall Rule?) and steps how to do?

IP Adress:
-ISP Modem 192.168.254.254/24
-WAN 192.168.254.2/24 (Upstream Gateway ISP Modem IP 192.168.254.254/24)
-LAN 172.1.1.0/24
-VLAN30 10.1.1.0/8
-Windows DHCP Server for LAN 192.168.254.1/24

Thank you in advance =)

viragomann · Oct 20, 2019, 5:03 AM

@seramis said in need WAN Network to access LAN network and vise versa:

Can anyone tell me what i need(NAT? Firewall Rule?) and steps how to do?

Probably routes and firewall rules to allow the access.
So pfSense is the default gateway in LAN and VLAN30. So the packets toward WAN network should be routed well. But the devices in the WAN network will need routes pointing to pfSense for the networks behind.
You may push that routes via DHCP to all clients that are configured to use it. On the others you will have to set the routes manually.

Also in the WAN interface settings you have to remove the check from "Block private networks".

And of course you have to add firewall rules to allow the access you wish.

@seramis said in need WAN Network to access LAN network and vise versa:

I need 172 network to be able to communicate with 192 network for DHCP Service because I use filter profiles.

You want the LAN devices to get IPs from the DHCP in the WAN subnet?

seramis · Oct 20, 2019, 5:03 AM

@viragomann Hi thank you for your reply.

I already disabled blocking private networks and blocking bogon networks on WAN.
also, i already added firewall rules to WAN any-any

WAN network still not able to ping or communicate with LAN network?

But my LAN network is able to ping and communicate, even RDP with WAN network.

-For your second question, if "You want the LAN devices to get IPs from the DHCP in the WAN subnet?"
Answer: Yes Sir, I need LAN devices to be able to communicate to WAN network and get DHCP IP from it, DHCP Server is running on WAN Network and on Scope I added 172.1.1.1 Router.

Thank you

viragomann · Oct 20, 2019, 11:24 AM

And what's about the routes? Do your WAN devices have the correct route to the LAN network?

For DHCP on LAN you need to enable and configure the DHCP relay on pfSense.

johnpoz · Oct 20, 2019, 12:01 PM

172.1.1/24 - dude come on!!

NetRange: 172.0.0.0 - 172.15.255.255
Organization: AT&T Corp. (AC-3280)

Don't use address space that is not yours.. Use valid rfc space there 172.16.1/24 would be fine..

So did you turn off NAT, if not to get to stuff behind pfsense you would have to port forward.. If you want to route and firewall only, then make sure you turn off nat.

And yes devices sitting on your 192.168 wan network would need a host route to tell them how to get to the 172 and 10 networks.. If your clients on your wan are talking to some other router as their default, so yeah they would need route to get to behind pfsense.. If you try and route them off your default router your going to run into asymmetrical problem.

The correct solution here is to have your downstream router (pfsense) connected to your upstream via a transit network.