Access LAN subnet from WAN IP



  • Hello everybody,

    this question may sound stupip, but I could't think about a solution for this problem.

    Config is like follows:

    pfSense 2.1

    On the WAN side I have my gateway to internet, 10.0.0.1 and my proxy server 10.0.0.100 (Windows Box w/ remote access.)
    On the LAN side I've got a 192.168.0.0/16 net.

    How can I access the 192.168.0.0/16 net from the Windows Box

    I've got some routers on the LAN Segment I'd like to configure from my Windows Box which is on the WAN side, is this even
    possible?

    Greetings, Gunnar



  • Real internet router back-side is 10.0.0.1
    Windows box is 10.0.0.100
    Lets say the pfSense WAN IP is 10.0.0.2
    Easiest way would be add a route on the Windows box to 192.168.0.0/16 through 10.0.0.2
    Add a firewall rule on pfSense WAN - pass source 10.0.0.100 destination 192.168.0.0/16 (or destination IPs-in-192-168-you want reachable)
    Of course, in doing this you are opening up some or all of your LAN to access from 10.0.0.100, which itself has some sort of remote access (in a DMZ-style role here by the sound of it). So if something hacks into 10.0.0.100 from the internet, it can then proceed to try and access LAN devices. You may or may not care about this.



  • Hi there Phil,

    just tried the solution you mentioned. I already added a route for the 192.168.0.0/16 net to my windows box before.
    Now I also created a firewall rule to let this traffic pass to the LAN Subnet.

    Unfortunately, it still does not work. Do I have to give the 10.0.0.99 address (WAN side of pfSense box) to my windows box as
    a kind of gateway?

    Please see attached screenshot from the config:



  • The route looks fine. The first WAN rule lets everything in, so you can't go wrong there - but it kind of defeats the idea of calling it a firewall :) The 2nd WAN rule by itself should also work.

    routers on the LAN Segment

    Now I see that the LAN segment has other routers, and presumably routes, behind it. Maybe those routers do not use the pfSense LAN IP (192.168.x.y) as their default gateway? Those routers will need to know that the route back to you at 10.0.0.0/24 is through the pfSense LAN IP 192.168.x.y - then they will be able to reply to your connection attempts.
    Post a network diagram if you get stuck further.


Log in to reply