VIP (192.168.0.0) on WAN, how to route traffic for clients (radiolinks)


  • Hi. I've got two Ubiquiti Radios that function as L2 links between my fiber modem and my pfsense box. My WAN nic gets its public IP from dhcp and my radios are configured with static IP's (192.168.0.2 and 0.3)

    I've set up my pfsense box with The VIP (alias) 192.168.0.1.

    I can ping and ssh the radios from the pfsense box, but I want to reach them over https from my LAN and let the radios reach my Unms server at another location, which has a static public IP.

    Howto best go about this scenario?


  • @filosofixit said in VIP (192.168.0.0) on WAN, how to route traffic for clients (radiolinks):

    I've got two Ubiquiti Radios that function as L2 links between my fiber modem and my pfsense box. My WAN nic gets its public IP from dhcp

    So the modem is rather a router.

    @filosofixit said in VIP (192.168.0.0) on WAN, how to route traffic for clients (radiolinks):

    I've set up my pfsense box with The VIP (alias) 192.168.0.1.

    In addition to the DHCP IP? Why?

    @filosofixit said in VIP (192.168.0.0) on WAN, how to route traffic for clients (radiolinks):

    but I want to reach them over https from my LAN and let the radios reach my Unms server at another location

    At a remote location?

    How is your outbound NAT configured?


  • @viragomann

    The modem passes on the public IP through the radio links to the WAN NIC on my pfSense box. The radio links have static private IP for management, which I want to access from my my LAN (another NIC and subnet)

    I also want the radio links to reach my UNMS-server which is located somewhere else. So no need for the radio links to have access to the whole internet, just the UNMS server.

    You mentioned outbound NAT, is that the best way to achive my goal?


  • @filosofixit
    The outbound NAT works in automatic mode by default. That means pfSense add rules to the WAN interface which translates the source address in IP packets into its WAN address when they go out the interface.

    So with the default setting it should work, if I unstood your setup. But without getting more details, it's a view into the crystal ball.


  • @viragomann

    I dont know how to explain it better, but here I go:

    My setup is like this:

    1. Internet/Fiber
      |
    2. Fibermodem
      |
    3. Ubiquiti Rocket AC Lite (192.168.0.3)
      | (L2 radio link)
    4. Ubiquiti Rocket AC Lite (192.168.0.2)
      |
    5. PfSense box (Gets it public IP from my ISP) (192.168.0.1 as Virtual IP (IP Alias)
      |
    6. LAN

    I have made a firewall rule that lets me reach the 192.168.0.0 subnet from LAN, but I am unable to create rules that let the devices in the 192.168.0.0 subnet make outbound connections to my LAN or the internet.

    How should I go about making rules so that the two radiolinks can make outbound connections to the internet?

    Do I have to set up a new route for these devices or make a 1:1 NAT rule?


  • If 192.168.0.0 is outside pfSense (out the WAN interface) then pfSense isn't involved in connecting that to the Internet. Those devices would just connect through Fibermodem (that device's IP in the 192.168.0.0/24 subnet is the gateway for 192.168.0.3 and they talk directly to each other).

    If the Fibermodem doesn't have a 192.168.0.0/24 address then I don't think this is going to work as I think you're describing. In that case if you had a third interface (OPT1) in your pfSense you could put the 192.168.0.1 address on it, and then connect those devices to that interface. Then they connect out through the pfSense to the Internet.


  • @filosofixit
    Now it's clear.

    The radios have to be configured to use pfSense (192.168.0.1) as default gateway.

    On pfSense you have to remove the check at "Block private networks" in the WAN interface settings.
    Then add a firewall rule to WAN allowing traffic from the radios subnet (maybe 192.168.0.0/24) to whatever you need.

    For accessing the radios from LAN you should disabling the NAT on these connections. Go into the outbound NAT settings. If it's in automatic mode, select the hybrid mode and save it.
    Than add a rule:
    Do not NAT: checked
    Interface: WAN
    source: LAN network (or an alias for all your internal networks or RFC1918)
    destination: the radios subnet (192.168.0.0/24?)