WAN to LAN routing with firewall
-
I want to separate a proxmox environment from the rest of my home network. I also want to have a firewall in between to control access to the proxmox vms.
I have issues configuring pfsense for routing and firewall only. I have disabled NAT, allowed bogon/private addresses on wan interface, added a static route on the main router for the subnet behind firewall.My setup:
Internet --> OpenWRT main router --->192.168.1.0/24 home network ---> route to 192.168.10.0/24 over 192.168.1.161 192.168.1.161 PfSense inside vm (on a bridge containing the hardware NIC) --> 192.168.10.1 and 192.168.10.0/24 subnet on a virtual bridge
All the other vms on proxmox are connected to the virtual bridge.
I can ping the vms inside pfsense subnet but from inside a vm I do not receive the replies to the pings to a host on main network e.g. 192.168.1.100. On 192.168.1.100 I receive the requests and send the replies and it appears they reach the pfsense vm but do not cross into the subnet.
I have disabled the firewalls involved including pfsense.
I can only get it to work if I add a static route on pfsense to 192.168.1.0/24 network via the wan gateway but that seems silly (having a gateway doesn't automatically count as a route? besides the requests do get outside the pfsense so it knows about the route). If I add this rule however I cannot access pfsense over 192.168.1.161 but only through its lan ip 192.168.10.1What am I doing wrong?
-
@Antonii said in WAN to LAN routing with firewall:
Internet --> OpenWRT main router --->192.168.1.0/24 home network
---> route to 192.168.10.0/24 over 192.168.1.161
192.168.1.161 PfSense inside vm (on a bridge containing the hardware NIC) --> 192.168.10.1 and 192.168.10.0/24 subnet on a virtual bridgeWith this setup you can get internet access on the devices behind pfSense and also forward traffic from the internet to them on the router, but communication between the home network and that behind pfSense will not work, because your home LAN devices don't know anything about the network behind pfSense and will send packets destined for it to the router. But the router won't forward these traffic, even it has a static route.
So to set this up properly you need to spawn up a separate network between the router and pfSense. This can be a VLAN using the same wire, but you have to segment pfSense from the home LAN for proper routing.
Then add a static route to the router for the subnet behind pfSense pointing to its new IP in the separated network.
In pfSense set the router as default gateway, so there is no need to add a static route. -
@viragomann You mean add a 2-host only subnet between main router and pfsense? Where one ip is one the main router and the other one the wan of the pfsense?
-
@Antonii
Yes, exactly.