How do I setup LAN to Wifi, Wifi to LAN. Wifi different subnet to LAN.



  • Hello,
    I have been using pfsense for a while, and this initially did not seem like a complicated task, but I am unable to access my LAN from Wifi on my pfsense.

    I have an APU1D4GB model with a MikroTik RouterBOARD R11e-2HPnD.
    The wireless card is running in access point mode, at 50% power it performs very well. (I bought two omnidirectional antennas and attached them to the fpsense case, I can upload some pictures if you are interested).

    I am using 3 interfaces on the device:
    WAN - internet, DHCP client.
    LAN - my safe happy LAN, DHCP server, network 192.168.5.0/24, interface address 192.168.5.2
    ATH0 - my wireless access point interface, DHCP server, network 192.168.6.0/24, interface address 192.168.6.3

    I am able to access the internet via wifi, but I am unable to access any resources on the LAN interface.

    I have added firewall rules that I think should work:
    WAN allow > pfsense
    LAN antilockout rule anything allow > pfsense
    LAN 192.168.6.0/24 allow to 192.168.5.0/24
    LAN 192.168.5.0/24 allow to 192.168.6.0/24
    ATH0 allow anything to anything

    The goal is to be able to control what the ATH0 interface can access on the LAN, but as it is now nothing from the WAN can access anything on the LAN.

    Any help is much appreciated.

    Regards,


  • Netgate Administrator

    How are you testing the connection? What was the result?
    The only firewall rule you should need is on the ath interface allowing traffic to LAN.

    Steve


  • Netgate

    WAN allow > pfsense
    LAN antilockout rule anything allow > pfsense
    LAN 192.168.6.0/24 allow to 192.168.5.0/24
    LAN 192.168.5.0/24 allow to 192.168.6.0/24
    ATH0 allow anything to anything

    The stricken rule does nothing.  You will never see traffic coming into LAN from 192.168.6.0/24.

    Here's what you want to do in general:

    Pass traffic on ATH0 for things you want wireless clients to be able to do (like local DNS)
    Reject traffic on ATH0 for things you don't want wireless clients to be able to do (Like access LAN or the firewall itself)
    Pass traffic on ATH0 to everything else (the internet)

    Read this:
    https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting

    Any questions post the part of that document you don't understand and ask away.

    ![Screen Shot 2015-03-01 at 5.11.51 PM.png](/public/imported_attachments/1/Screen Shot 2015-03-01 at 5.11.51 PM.png)
    ![Screen Shot 2015-03-01 at 5.11.51 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2015-03-01 at 5.11.51 PM.png_thumb)



  • WAN allow > pfsense
    

    and you really do NOT want any general rules on WAN that pass anything.
    For any traffic flows/states initiated from the LAN and WiFi interfaces out to the internet, the matching traffic flowing back is allowed by the stateful firewall anyway.
    You only want pass rules on WAN for specific servers that are providing some internet service, or your VPN server…
    Also do not allow remote access to pfSense webGUI itself - better to have a VPN server on the pfSense and connect to that remotely to do remote management.



  • Thank you for your help, the problem was actually just me being a bit stupid.
    So there were two issues.
    My expectations and older config backup.

    The APU1D was configured from a backup of a config from my old P4 pfsense box.
    I did not dig through the details, but essentially after a factory reset and the above FW rules, things worked as required.
    I was able to access the LAN from the ATH0 wireless network.

    I guess you shouldn't expect the backup config to work across different hardware.

    As for my expectations, I have an OMV installation and I wanted to use DLNA across the two networks, but it uses multicasts that are non routable.
    I have been tinkering with the IGMP proxy without any luck.


  • Netgate Administrator

    Generally speaking you can import an old backup file into new hardware. There are some things that are specific though like the interface names but pfSense will ask you to re-assign them at the first boot. It can be a problem if the previous hardware had more interfaces than the new hardware.
    You certainly can import a config file from an older pfSense version, there are scripts to translate it to the newer config file format.

    Getting DLNA to play nicely can be a challenge!  ;) It's usually much easier to use a client that allows you enter the server IP directly. Quite why all clients don't allow that is beyond me.

    Steve



  • @derelict said in How do I setup LAN to Wifi, Wifi to LAN. Wifi different subnet to LAN.:

    WAN allow > pfsense
    LAN antilockout rule anything allow > pfsense
    LAN 192.168.6.0/24 allow to 192.168.5.0/24
    LAN 192.168.5.0/24 allow to 192.168.6.0/24
    ATH0 allow anything to anything

    The stricken rule does nothing.  You will never see traffic coming into LAN from 192.168.6.0/24.

    Here's what you want to do in general:

    Pass traffic on ATH0 for things you want wireless clients to be able to do (like local DNS)
    Reject traffic on ATH0 for things you don't want wireless clients to be able to do (Like access LAN or the firewall itself)
    Pass traffic on ATH0 to everything else (the internet)

    Read this:
    https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting
    Wifi name in hindi
    Any questions post the part of that document you don't understand and ask away.

    ![Screen Shot 2015-03-01 at 5.11.51 PM.png](/public/imported_attachments/1/Screen Shot 2015-03-01 at 5.11.51 PM.png)
    ![Screen Shot 2015-03-01 at 5.11.51 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2015-03-01 at 5.11.51 PM.png_thumb)

    There are some things that are specific though like the interface names but pfSense will ask you to re-assign them at the first boot. It can be a problem if the previous hardware had more interfaces than the new hardware.
    You certainly can import a config file from an older pfSense version, there are scripts to translate it to the newer config file format.