WAN devices to LAN devices



  • Very new to pfsense, and learning routing.
    I have an ESXi and built a pfsence VM.
    This has 2 interfaces, 1 WAN the other Lan.
    WAN has a static IP of 192.168.0.169 from my modem(I've put this IP in the modems DMZ)

    gateway 192.168.0.1
    LAN is setup for 192.168.1.1 - I've turned DHCP off as I plan to have everything in here static anyway. There is an external switch connected to the Lan port, but I'm only trying to get my other VM's to send all their traffic through pfsense right now.

    1 of the VM's is windows. When I set that VM up with the following details
    IP: 192.168.1.16
    subnet: 255.255.255.0
    gateway: 192.168.1.1
    DNS: 8.8.8.8

    On the WAN network I have a windows laptop with an IP of 192.168.0.22.
    It's gateway is 192.168.0.1...
    From this box I want to access the shares on the VM.

    I'd like to have devices that exist on the WAN network be able to see/access devices on the LAN network.
    I understand the reason it's not working. Devices on WAN don't know how to get to devices on LAN because nothing routes their traffic in that direction. But how do I do this?
    From reading I beleive I need a Virtual IP on the WAN interface that is part of the LAN subnet.
    So a virtual IP on WAN of 192.168.1.170.
    I think this just makes it so the WAN interface is able to know about the other subnet, but isn't going to route anything.
    I also have NAT on because of the whole DMZ setup, someday I plan to move EVERYTHING behind pfsense but not until I get a better wifi AP to use. Until then I'd like to get this routing issue figured out.
    Do I need just a static route, or a 1:1 NAT? or a combo, or something else compeltely?



  • @trevorstuart said in WAN devices to LAN devices:

    I'd like to have devices that exist on the WAN network be able to see/access devices on the LAN network.

    That's not a recommended setup.
    You will have to add a static route to each WAN device which should be able to communicate with LAN.

    A better solution is to put pfSense into a separate network (transit) and just add a static route for the LAN subnet to you front router, but I guess that won't be doable on your modem.

    @trevorstuart said in WAN devices to LAN devices:

    From reading I beleive I need a Virtual IP on the WAN interface that is part of the LAN subnet.

    That's nonsense.
    You may bridge WAN and LAN on pfSense, so that you have the same L3 network on both sides.



  • It's not recommended but until I get a proper AP, instead of my ISP's modem as an AP I'm stuck.
    Modem it allows for port forward, but not port re-directing at all. I can't use different DNS, and so on. The plan is to sooner than later bridge the modem and use PFsense as Firewall/Router/DHCP/etc... And to make things more fun I cannot do DHCP redirect in the modem so even as interm anything connected via wifi has to go in the Modems subnet, but all my servers are running nicely behind pfsense. So if I want my phone to talk to one of the servers it simply won't internally. I can use the external IP and have it come in that way, but I have 2 devices that won't let me specify the IP manually so they ONLY look on the internal network.

    I think a bridge is what I'll need until I get a real Access Point to take over the WiFi...
    If I understand correctly I can use an internal bridge between WAN/LAN and all the traffic inside my network will talk but going out or coming in via internet will still follow the gateways firewall(s).



  • @trevorstuart
    Not exactly. If you bridge WAN and LAN, both interfaces are in the same L2 network. So pfSense is neither a router nor a gateway anymore, the gateway would be the modem. WAN and LAN devices are in the same subnet and you have to do any forwarding even to devices behind pfSense on the modem. But you are still able to filter the traffic on pfSense.

    Can't you deactivate the DHCP server on the modem and let pfSense do that job in WAN subnet? The DHCP server on pfSense can push the route for the LAN subnet to the WAN devices. So you don't need to set it manually.


Log in to reply