Cannot access pfSense LAN subnet from outside

tgdsilva

Hello,

I am unable to access devices that are on the pfSense LAN subnet from my main router (FiOS) LAN.

Here is my setup:

From the Laptop (192.168.1.51), I am successfully able to ping both 192.1681.1 and 10.0.0.1. However, I am not able to ping 10.0.0.1 and therefore not able to ping 10.0.0.51 either.

To my surprise, from the Desktop (10.0.0.51), I am successfully able to ping all devices: 10.0.0.1, 192.168.1.99, 192.168.1.1, and 192.168.1.51

I need help in successfully accessing devices in the 10.0.0.1 LAN from 192.168.1.1 LAN

Here are my current rules for my WAN and LAN in the pfSense box.

WAN Rules:

LAN Rules:

Also, I have unchecked the "Block private networks and loopback addresses" and "Block bogon networks" on both WAN and LAN interfaces.

Please help!

marvosa

There are multiple challenges since what you're essentially trying to do is open up your LAN to the internet, which is inherently what your firewall is there to prevent.

The first issue is the FIOS router has no idea what networks are behind PFsense, so you will need to add a route on the FIOS router for the 10.0.0.0/24 network.

Then there's allowing the incoming traffic on PFsense. Also, all traffic exiting PFsense is NAT'd on egress, so that will need to be addressed as well. Even after all that, be prepared for some gotchas.

My recommendation, save yourself the time and headache... purchase your own AP and plug it into the switch behind PFsense. Then disable wireless on the FIOS router.

chpalmer

Your still behind NAT..

johnpoz

Yup still natting unless you turn that off on pfsense, and even if you did turn it off. You would then have asymmetrical routing problem. Unless you do host routing on your 192.168.1 devices.

Or you placed your pfsense on a transit network from your fios router, and I doubt your fios router allows you to do vlans or other networks where you could even do such a thing.

If you want to access stuff behind pfsense from your 192.168.1 network, best to embrace the natting and do just port forwarding to access stuff behind it.

tgdsilva

Thank you for all the replies. I thought there would be a simple firewall rule that would get this done. Looks like it is a headache and might not be optimum. I am going to take the advice of getting an AP and plugging it into the switch behind pfSense.

I am starting to wonder if there is any point in having the Verizon FiOS router inline. I think I would need it just for the purpose of converting incoming ONT (coaxial) to Ethernet.

johnpoz

@tgdsilva said in Cannot access pfSense LAN subnet from outside:

I think I would need it just for the purpose of converting incoming ONT (coaxial) to Ethernet.

Exactly... Get an AP put it behind pfsense, then you can do whatever you want for segmentation of networks.. I would suggest you get an AP that supports vlan, and also a switch that does as well.. Then you be cooking with gas ;) For anything you might want to do.

tgdsilva

This post is deleted!