VM access in LAN pfsense from home network

artm1904

Good afternoon! I have the following structure. In my home network, I have a router and a number of devices connected to it (an OrangePi single-board PC, etc.). My computer is also connected to the router. Several VMs are created on it according to the drawing. I have performed the standard pfsense configuration, configured LAN, DHCP in them, DNS, Firewall rules. As a result, I have internet access from each of the VMs, and the red line indicates that one VM cannot communicate with the other. From these VMs, I can access the internet, as well as other devices on my home network (ping, ssh to OrangePi). But the problem is that I cannot access these VMs from OrangePi (for example, I cannot execute the command on OrangePi #ping 10.10.30.51). I know that it is possible to configure NAT Forwarding, but this will only work for the service on the specified port, is it possible to make all VMs available by its address?

stephenw10

To access the subnets behind pfSense from the orange pi it would need a route to them via the pfSense WAN IP. pfSense would also need firewall rules to pass that.

pfSense will route between the LAN1 and LAN2 internal subnets by default though. You should only need appropriate firewall rules in place to pass it.

The other thing you might see there is that VM1 and VM2 might have local software firewalls that reject traffic from outside their own subnets.

artm1904

@stephenw10 said in VM access in LAN pfsense from home network:

need a route to them via the pfSense WAN IP

I just started to figure out pfsense. I understand correctly that I need to add the GatewayLAN1, 2, 3 addresses in the System > Routing > Gateways section (initially there is only WAN). After that, go to the Static Route section and make the settings (specify Destination network 192.168.1.0/24, and in the Gateway section 10.10.20.1 (10.10.30.1 or 192.168.110.1). After that, go to the Firewall Rules section and allow the connection to Source - 192.168.1.0/24, Destination - 10.10.20.1, for example. If I'm wrong about something, then correct me if it doesn't take you long.
If I made a mistake somewhere in the described algorithm, then tomorrow I can provide screenshots of all current settings in pfsense.

stephenw10

@artm1904 said in VM access in LAN pfsense from home network:

I understand correctly that I need to add the GatewayLAN1, 2, 3 addresses in the System > Routing > Gateways section (initially there is only WAN). After that, go to the Static Route section and make the settings (specify Destination network 192.168.1.0/24, and in the Gateway section 10.10.20.1 (10.10.30.1 or 192.168.110.1).

No. You should only have one gateway in pfSense itself and that should be the WAN.

In order to route traffic to those subnets without port forwarding you have add the routes to the Orange Pi directly. And add them via the pfSense WAN IP.

You might be able to add a route in the ISP router instead but many don't allow that and it will create asymmetric traffic that might be blocked.

artm1904

@stephenw10 said in VM access in LAN pfsense from home network:

add the routes to the Orange Pi directly

Okay, thanks for the idea. initially, I tried to add a path to the router itself, but I did not find such an opportunity. I'll try your idea tomorrow. Thanks for the quick replies, have a nice evening!)