Accessing device on different subnet while using different gateways. Is bridging necessary?

Bob.Dig

@preposterous_story said in Accessing device on different subnet while using different gateways. Is bridging necessary?:

Is bridging necessary?

No. You need to fix your rules though. On LAN1 the Source has to be "LAN1 subnets" in all rules. Or any.
On LAN2 the Source has to be "LAN2 subnets" and so on.

preposterous_story

@viragomann

Typically devices block access from outside of their own subnet. You have to configure it's firewall accordingly to permit access from outside.

So I changed firewall rule inside my homeserver to allow from 192.168.0.0/16 on any port. Did I do something wrong here?

Also ensure that the network settins are correct. This also involves the network mask and the gateway.

Do you mean network settings on my homeserver?

Or do you mean that I have to change gateways of my interfaces to be the same, like 192.168.1.1, but DHCPs should use 192.168.100.0/24 192.168.101.0/24 and 192.168.102.0/24 respectively?

viragomann

@preposterous_story said in Accessing device on different subnet while using different gateways. Is bridging necessary?:

So I changed firewall rule inside my homeserver to allow from 192.168.0.0/16 on any port. Did I do something wrong here?

Should be fine.

@preposterous_story said in Accessing device on different subnet while using different gateways. Is bridging necessary?:

Also ensure that the network settins are correct. This also involves the network mask and the gateway.

Do you mean network settings on my homeserver?

Of the homeserver. The gateway has to be the pfSense LAN3 interface address.

preposterous_story

@viragomann

I've set the static IP and netmask 255.255.255.0 with gateway 192.168.102.1 (LAN3) on home server. And also I've set static lease for the same IP address within my DHCP server (192.168.102.0/24) on pfsense.

So this should be it?

Unfortunately, I still cannot access my home server. Am I missing something?

viragomann

@preposterous_story
So to nail this down run a packet capture on LAN3, while you try to access the homeserver from another subnet.

Specify the server IP and the port you access in the respective filter fields, start the capture and try to access it.
The check out if there are packets going to the server properly and if responses are coming back.

Uglybrian

Did you change your rules. On your rule sets for Destination you need to put LAN1 Address or what ever port addresses you want to go to.

You can see under your current rules that no states are being made. So those rules ere not being utilized for what for want to accomplish.

preposterous_story

@viragomann

Here it is:

20:24:11.001731 IP 192.168.100.10.52865 > 192.168.102.2.443: tcp 0
20:24:11.002123 IP 192.168.102.2.443 > 192.168.100.10.52865: tcp 0

192.168.100.10 is my computer's IP and there are multiple packets with changing ports trying to access the same IP. And then the home server tries to access my device.

viragomann

@preposterous_story
But this is now port 443, so probably TLS, which inserts an additional layer.
Are you able to access the server via HTTPS, when the client PC is on the same subnet as the server?

preposterous_story

@viragomann

Sorry for that. There's no issue with this, the server automatically changes from http to https, but I've written in the address bar "https://192.168.102.2" that's why.

Now I've realised there's no internet on the port where I want to have the server. I have to deal with this also.

preposterous_story

Are you able to access the server via HTTPS, when the client PC is on the same subnet as the server?

Yes, but this is when I use it on the router with all ports on the same subnet. And subnet is different.

But I want to be able to have VPN connection, but local access to my home server which is not connected to a VPN.

preposterous_story

@Uglybrian

I made a screenshot when I finished testing.

I tried now to see if I can access the home server on LAN2 because I have internet access there.
The rules are useful, they are passing traffic, but I get CLOSED:SYN_SENT state. I have no idea why is that so.

viragomann

@preposterous_story
Seems that the server is blocking the traffic anyhow.

@preposterous_story said in Accessing device on different subnet while using different gateways. Is bridging necessary?:

I tried now to see if I can access the home server on LAN2 because I have internet access there.

You'll have to add a rule to LAN2 to permit access.

Uglybrian

CLOSED:SYN_SENT- means nothing is replying.

preposterous_story

Thank you all for helping me.

In the end I've managed to make it work.

As you said, following rule(s) were necessary to access devices on OPT1 and OPT2 respectively.

There are some things that I learned along the way:

1. When spoofing MAC address, don't spoof it on the interface you are accessing the web GUI from.
2. Don't spoof WAN MAC address when connected to internet. Do it with WAN port disconnected. Also, clear DHCP leases on your upstream modem/router.
3. When you already have an enabled interface, but then want to spoof MAC address, delete the interface first and then recreate it with spoofed MAC address. Reenabling doesn't work properly.
4. Sometimes the device you're trying to access doesn't allow access from different subnet. This is the case with my OpenWRT router, but home server works flawlessly.