WAN to LAN access

wahran

Hello,
I have an existing LAN1 setup on 192.168.2.0.
I have pfSense setup on a box with 2 wired ethernet and one wireless, then hooked it to the above LAN, such as:

1. PF WAN's connection is at 192.168.2.100 sitting on my prexisting LAN1.
2. PF LAN's connection is at 192.168.3.1  (no bridging)
3. PF Wifi's connection is at 192.168.4.1 (access point with captive portal, no bridging, anything I had tried for the
wired LAN applies as well to the wifi LAN as well).

I have DHCP running on both the 3 and 4 subnets, and everything seems to work fine. But I need to be able to access
my systems on the PF LANs from the WAN (my pre-existing LAN1).

Let's assume I have a box at 192.168.3.2 (LAN) and another at 192.168.2.2 (WAN).  I added routes from 192.168.2.2 to my 192.168.2.100
IP for PF's WAN and set the all/any (including ICMP)  rules on PF's firewall (both LAN and WAN) to test.

From the 192.168.2.2 box:
I can ping the gateway at 192.168.3.1 but I cannot ping 192.168.3.2 (pingable inside its own LAN)
When I traceroute to 192.168.3.2 it goes to 192.168.2.100 (PF's WAN IP)  then times out.

The routes on PF all seem fine, and I am not blocking anything in the firewall (in fact I am explicity allowing everything).

This is my first 'real' install of PF sense, and I am sure I am missing or not understanding something, and I would appreciate any
help figuring out how to access my LAN machines from the WAN side of pfsense.

Thanks,

Chafik

shadowadepts

you have to set rules to pass the data in pfsense. your pass rules should point to the subnets. And uncheck the 'Block private networks' and 'Block bogon networks' on the 'WAN' interface page. These prevent ALL private network trafic from passing through.

so your rules should look like this:

Proto | Source | Port | Destination | Port | Gateway

• | WAN net | * | * | * | *
• | LAN net | * | * | * | *
• | WIFI net | * | * | * | *

I'm not sure of the config i've got there for wan but that should be all you need.

that being said but you should try setting pfs as the main router instead of configuring to an exsisting lan. ( and what kind a rig is your 'LAN1')

wahran

Thanks for the reply, I have been away travelling, but I am back, trying to get this issue resolved.

@shadowadepts:

you have to set rules to pass the data in pfsense. your pass rules should point to the subnets. And uncheck the 'Block private networks' and 'Block bogon networks' on the 'WAN' interface page. These prevent ALL private network trafic from passing through.

so your rules should look like this:

Proto | Source | Port | Destination | Port | Gateway

• | WAN net | * | * | * | *
• | LAN net | * | * | * | *
• | WIFI net | * | * | * | *

I already had the above configuration.

@shadowadepts:

I'm not sure of the config i've got there for wan but that should be all you need.

that being said but you should try setting pfs as the main router instead of configuring to an exsisting lan. ( and what kind a rig is your 'LAN1')

I am not sure what you mean by the "rig for LAN1" ?

I basically have an atom based PC with 2 Gig LAN interface and atheros mini-pcix wifi interface. I cannot use this box as the main router, as I don't have control over that part (i.e. the 2.0 LAN). What I have is:

<< LAN on 192.168.2.0 >> – gigLAN1 192.168.2.100<< PfSense Box >> -- gigLAN2 192.168.3.1 LAN
                                                                                                |-- OPT Wifi on 192.168.4.1 WLAN

I am running DHCP on both the 3.0 and 4.0 LANs. Everything works fine, expect that I need to be able to access the 3.0 and 4.0 LANs from the 2.0 side.

I have static routes on the 2.0 side pointing to the the 3.1 and 4.1 gateways, which I can ping. But I cannot see any other systems hooked up on either the 3.0 or 4.0 networks.

Thanks.

agrelaphon

Hello,
I have the same configuration & firewall rules as  wahran , except not having opt1 and no static routes.
And I'm having the same problem, i can't acces the LAN from a computer on the WAN side (ex LAN)
Can't even ping the pfsense WAN port, although i can ping anything from LAN
Any help apreciated
Thanks

shadowadepts

Remember that your 'pass' rules must be top of the list (unless you have block rules).

@wahran:

I am not sure what you mean by the "rig for LAN1" ?

I basically have an atom based PC with 2 Gig LAN interface and atheros mini-pcix wifi interface. I cannot use this box as the main router, as I don't have control over that part (i.e. the 2.0 LAN). What I have is:

<< LAN on 192.168.2.0 >> – gigLAN1 192.168.2.100<< PfSense Box >> -- gigLAN2 192.168.3.1 LAN
                                                                                                |-- OPT Wifi on 192.168.4.1 WLAN

I am running DHCP on both the 3.0 and 4.0 LANs. Everything works fine, expect that I need to be able to access the 3.0 and 4.0 LANs from the 2.0 side.

I have static routes on the 2.0 side pointing to the the 3.1 and 4.1 gateways, which I can ping. But I cannot see any other systems hooked up on either the 3.0 or 4.0 networks.

Thanks.

What I meant was if it is pfS Connecting you to the net or a basic router but you've answered that now. To be honest it sounds like your don't have proper rules set on your 3.0 and 4.0 segments to allow traffic the ping traffic to pass back to the 2.0 network. Try enabling 'Bypass firewall rules for traffic on the same interface' under 'System > Advanced Functions' or create a aliais for the 2 and 3/4 networks on each box:

2.0
Name: netpass | Type: Network(s) | Networks: 192.168.3.0/24, 192.168.4.0/24

netpass  192.168.3.0/24, 192.168.4.0/24  Network aliais

3.0 / 4.0: Name: netpass | Type: Network(s) | Networks: 192.168.2.0/24

netpass  192.168.2.0/24 Network aliais

the setup a pass rules on the interfaces that the traffic is INBOUND on: (which in your case is WAN)

*  netpass  *  *  *  *    Network Traffic Pass

I may get yelled at for that being wrong but try that out and see if you what results you get.

Also, were you able to ping from 3.0 or 4.0 to 2.0?