Acces from external LAN Router

dcuadrados · Jun 16, 2021, 2:08 PM

Good afternoon, and thanks in advance, let me tell you what is happening to me and that I cannot find the solution. I have a MacroLAN network that joins 4 locations of a client, with the ranges 192.168.2.0/24, 192.168.3.0/24 , 192.168.4.0/24 and 192.168.5.0/24

In the main headquarters 192.168.4.0/24, I have a pfsense mounted, with the IP 192.168.1.0/24, the problem is that I cannot access that router because they do not let me manage it, then I find the following, If I access network 1 from my network, any of the others works without problems, but if I try to access network 1 from networks 2,3,4 or 5, it does not change, what rule should I create to allow that those networks access my main network 1?

viragomann · Jun 16, 2021, 2:08 PM

@dcuadrados said in Acces from external LAN Router:

If I access network 1 from my network

What ist "network 1"?
And what "my network"?

dcuadrados · Jun 16, 2021, 2:13 PM

@viragomann Sorry, the router network where I have the pfsense is 192.168.5.1/24, and the networks 192.168.2.0/24, 192.168.3.0/24 and 192.168.4.0/24 are external networks, but that between them are connected by the phone company

johnpoz · Jun 16, 2021, 2:15 PM

Yeah not clear to what exactly the problem is?

Is that you can not access this network behind pfsense from any other network? But you don't manage the pfsense.. So not sure how you expect pfsense to fix that if you can not manage pfsense?

These other sites do not have pfsense? And network 192.168.2 can access 192.168.3 for example?

A drawing would help.. So are these sites wan all sharing a common wan network and full routing mesh? What exactly is doing the routing..

Or is your problem you have 192.168.1 on pfsense and you can not access some other 192.168.1 network?

dcuadrados · Jun 16, 2021, 2:26 PM

@johnpoz Good afternoon, I manage the PfSense on the 192.168.1.1 network, which is the LAN part of the PfSense, the network that gives me access to the internet is 192.168.5.1, which is the company's router, this is the main headquarters of the company.

I from the 192.168.1.1 network, which is the one that I manage and where I have the PfSense, if I access and see the other networks, but from the other networks that only have a router, I am not able to reach the 192.168.1.0 network / 24

johnpoz · Jun 16, 2021, 2:33 PM

@dcuadrados said in Acces from external LAN Router:

I am not able to reach the 192.168.1.0 network / 24

So these other sites can not access network behind pfsense? Well you would have to allow that.

So all of these sites are not natting.. Out of the box pfsense would nat..

A drawing would be very helpful. But if your only gateway is to your HQ via a 192.168.5 network.. I would take it you do not nat and all the routing is done at HQ between all the other sites. So turn off natting at pfsense and allow on your wan these other networks to your lan on your wan rules. You will also need to turn off the rfc1918 blocking default rule on the wan.

You really need to provide a drawing if you want any real help. We are just guessing at this point to how your actually setup. You say that HQ is 192.168.4 and then you mention 192.168.5 is how you get to HQ..

Sounds like to me you added a pfsense to your site, and its natting and has what your old nework was on its wan.. So yeah sites are not going to be able to get to you.. You really need to work with your company IT team to add a firewall at your site.

dcuadrados · Jun 16, 2021, 3:03 PM

@johnpoz Here is the diagram:

johnpoz · Jun 16, 2021, 3:10 PM

Ok that is a start. So you have a vpn to 192.168.4? You have another connection in this 192.168.4 network along with your wan?

You are just routing without vpn at 192.168.4 router to 192.168.1? via this public IP? And this 192.168.4 network also has a wan IP in this /29 public network?

I REALLY suggest you get with your company IT dept about adding a firewall to your site, especially since it seems they don't even allow you access to your sites router?