NAT between subnet

brochs · Jan 31, 2020, 5:27 PM

Hi, I have a issue I have been scratching my head over. I will try to explain, and hopefully someone can give me som good advice. To start off, I’m not sure this is a Pfsense only problem.

I have two different subnet on my Pfsense, one on LAN port (192.168.X.X/24) and one on OPT1 port (10.0.X.X/24), both are offering DHCP. Everything is running fine, internet access on both. I also have a OPENVPN net that are used with OpenVPN for remote access, also works fine. I have printers, NAS and other servers on the 192.168.X.X net, and I can reach and connect to everything from same localnet, other localnet and from OpenVPN. I have connected one wireless router (as accesspoint) on each of the local subnets for WiFi access, works like a charm and are offering DHCP from Pfsense (units dhcp disabled). When I am on 192.168.X.X subnet I can connect to the Netgear R7000 WiFi accesspoint that are connected to Pfsense with cable using LAN port on R7000, IP 192.168.X.254. I can however not manage to reach the WiFi AP from other subnet or from OpenVPN, not even ping it. All other devices I can reach. The funny thing is that it’s the same with the WiFi AP on the other local subnet, but here I am using a Dlink DIR-655 as AP.

I have no more clues, and don’t know why this is happening.

heper · Jan 31, 2020, 5:46 PM

It's because those are not true access points, but routers with dhcp disabled.
More then likely it is impossible to set a gateway on those devices' lan interface..... That is the reason you can not connect to them.

There is no good fix for it. You can setup custom nat rules between your lan subnets to get access to them But, It's easier to just get other hardware or flash a custom firmware on the WiFi-devices with ability to set a gateway

brochs · Jan 31, 2020, 6:00 PM

Interesting :-) So what you are saying is that it’s in fact a gateway problem of these units? The Netgear R7000 have a operation mode selector , with these options: Router, Access Point, Bridge and Repeater. I use AP mode.

chpalmer · Jan 31, 2020, 6:02 PM

this is not NAT but is instead routing. You route between your subnets.
show your firewall rules for each interface.
If you are in AP mode then you should plug into your WAN port of the unit I believe

Grimeton · Feb 8, 2020, 8:27 PM

Tell your AP how to reach the other subnet via routing. Or just set the default gateway of the AP to be your pfSense and everything is fixed.

On the other hand you can setup some outgoing NAT on the interface where the AP is connected to like:

nat on $lan from $opt1_network to $lan_network -> ($lan)

So that you source nat everything going out on the lan network's interface coming from opt1's subnet to the IP of the lan_interface.