Access from LAN1 to Access Point on LAN 2

orphen76

Hi everyone,
I have a configuration with 4 LANs and 3 WANs, from the main LAN, which I call LAN1 for convenience (10.10.1.0/24), I can go anywhere, to any peripheral on the other LANs or WANs, except on a TP-Link EAP610 AX1800 which is located on LAN 2 (10.5.1.0/26).
When I try to log in on the gui, the request times out.
PFSENSE itself sees the device as if it were offline (which it won't be, it's on).
Obviously if I'm on LAN2 I can easily access it.
I tried to see if there was any particular configuration on the aforementioned access point, but nothing.
Has something similar ever happened to you? Is there a workaround to resolve this?

Thank you

Regards,
David

viragomann

@orphen76 said in Access from LAN1 to Access Point on LAN 2:

from the main LAN, which I call LAN1 for convenience (10.10.1.0/24), I can go anywhere, to any peripheral on the other LANs or WANs, except on a TP-Link EAP610 AX1800 which is located on LAN 2 (10.5.1.0/26).
When I try to log in on the gui, the request times out.
Obviously if I'm on LAN2 I can easily access it.

I guess, the device is simply blocking access from outside of it's own subnet.

If it has no setting to allow this you can masquerade traffic coming from the main LAN and destined to it by an outbound NAT rule.

johnpoz

@orphen76 wifi router that you are using as AP quite often do not allow setting a gateway, so its not possible to talk to them from another network.

Also many of them might not allow access from a non local IP to the gui, some of them have settings to allow for that.

Does your AP have gateway set to pfsense? But as mentioned by @viragomann doing a source nat so that the AP thinks your talking to it from pfsense IP in that network is a common work around either of those problems

A Former User

@viragomann

The "Layer-3 Accessibility" option of the AP's Web server needs to be enabled.

orphen76

@johnpoz Hi, sorry for delay, but i did not see your answer. can you give me a example to do thath you say?

thanks a lot

johnpoz

@orphen76 create an outbound nat on the interface your AP is connected too - so when talking to your AP ips it nats to that interfaces IP so the AP now thinks just some local IP is talking to it, it has no need of a gateway to be able to answer some remote IP.

In the above example my poe cameras are behind the nvr, I have a leg on pfsense into this network that I call cam2 which is a 10.1.1 network.. Now when I want to talk to one of the cameras directly from any of my other networks that are all 192.168s I nat the IP to this 10.1.1 network my pfsense IP on that network.. the cam2 address, which is currently 10.1.1.253, so when I talk to one o the cameras they think just 10.1.1.253 is talking to them and they do not need to send the answer to their gateway (the nvr) at 10.1.1.1

This pretty much exactly how pfsense nats your internal IPs to your public wan address.. Just doing it on your internal network.

Notice here when I talk to one of my cameras on 10.1.1.128 you can see that pfsense natted this connection to its 10.1.1.253 address

orphen76

@johnpoz Thank you!