LAN and WIFI standalone with 1 cross-access IP



  • I gave up on using the wireless on my alix 2d13… so I bought a standalone AP.

    I have 3 interfaces setup:

    • WAN (DHCP)

    • LAN (192.168.2.1)

    • WIFI (192.168.4.1)

    DHCP servers are setup for LAN and WIFI in their own subnets.
    The DNS forwarder is setup for LAN and WIFI, options checked are:

    • Register DHCP leases in DNS forwarder

    • Register DHCP static mappings in DNS forwarder

    • Do not forward private reverse lookups

    Though oddly, nslookup doesn't seem to resolve on either LAN or WIFI. Connections to the WAN correctly work from LAN and WIFI.

    What I'm trying to do is have one static address on the LAN accessible on the WIFI (a file server). I have the firewall rules in to allow it and I don't see it getting blocked in the logs.

    The thing I can't figure out is that the addresses on the LAN can reach the ones on the WIFI, but the ones on the WIFI can't reach the ones on the LAN.
    IPv4+6 TCP/UDP * * ManagementAccess 80 (HTTP) * none Deny access to firewall management from WIFI HTTP
    IPv4+6 TCP/UDP * * ManagementAccess 443 (HTTPS) * none Deny access to firewall management from WIFI HTTPS
    IPv4 TCP WIFI net * Server 22 * none Allow SSH WIFI to LAN
    IPv4 * WIFI net * LAN net * * none Block all WIFI to LAN
    IPv6 * WIFI net * LAN net * * none Block all WIFI to LAN IPv6
    IPv4 * WIFI net * * * * none Allow WIFI to WAN
    IPv6 * WIFI net * * * * none Allow WIFI to WAN IPv6

    A side note, I also have access to the pfsense web GUI blocked from WIFI.

    It seems like a DNS issue. Do I need to create a bridge… or can I create a static mapping for that one IP?


  • LAYER 8 Netgate

    Can you ssh to the server IP address?  No, you don't need a bridge.



  • When accessing devices only on WIFI, nslookup and ping work.
    When accessing devices only on LAN, nslookup and ping work (though not nslookup on the static IP entries, which includes this server).
    I can ping and do nslookup going from LAN to WIFI.
    I cannot ping and do nslookup going from WIFI to LAN (SSH does work either).


  • LAYER 8 Netgate

    IPv4+6 TCP/UDP  *  *  ManagementAccess  80 (HTTP)  *  none      Deny access to firewall management from WIFI HTTP   
    IPv4+6 TCP/UDP  *  *  ManagementAccess  443 (HTTPS)  *  none      Deny access to firewall management from WIFI HTTPS   
    IPv4 TCP  WIFI net  *  Server  22  *  none      Allow SSH WIFI to LAN
    IPv4 *  WIFI net  *  LAN net  *  *  none      Block all WIFI to LAN   
    IPv6 *  WIFI net  *  LAN net  *  *  none      Block all WIFI to LAN IPv6   
    IPv4 *  WIFI net  *  *  *  *  none      Allow WIFI to WAN   
    IPv6 *  WIFI net  *  *  *  *  none      Allow WIFI to WAN IPv6

    Those rules look good regarding ssh access to server, blocking access to LAN, and passing all else.  But I don't see rules passing DNS or ICMP (ping).

    ![Screen Shot 2014-10-07 at 11.12.58 PM.png](/public/imported_attachments/1/Screen Shot 2014-10-07 at 11.12.58 PM.png)
    ![Screen Shot 2014-10-07 at 11.12.58 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2014-10-07 at 11.12.58 PM.png_thumb)


  • LAYER 8 Netgate

    Looking at it again, you don't have the block all dest local_nets_v4 like I do so your final pass rules should catch DNS and pings.

    Please let us know what the dns configuration is.


Log in to reply