OPNsense Forum

English Forums => General Discussion => Topic started by: CDuv on July 17, 2017, 05:40:41 pm

Title: Access WAN's subnet computers from LAN?
Post by: CDuv on July 17, 2017, 05:40:41 pm

TL;DR: I want to access, from LAN, some computer located on WAN interface alongside with my ISP gateway and my OPNsense box.

Full details:

I have the following setup :

OPNsense running on a server with 3 Ethernet interfaces.
* LAN/igb1 interface: 192.168.0.1/24
* WAN_A/igb0 interface: 192.168.1.1/24 (obtained via DHCP) (gateway is 192.168.1.254)
* WAN_B/igb2 interface: 192.168.1.100/24 (obtained via DHCP) (gateway is 192.168.1.1)

Note that my two WAN networks uses the same network address (but I can't change it, using ISP's devices with no access to it): I know that and it should not interfere (I hope) with the rest of the issue.

On WAN_A, the ISP's gateway 192.168.1.254 should have some webGUI I want to access from any computer on LAN network. Same thing for  WAN_B with gateway 192.168.1.1 plus other devices (192.168.1.101, 192.168.1.102, 192.168.1.103, etc.).

Because I only need this access from time to time for maintenance purpose and there is a limited number of machines (<10), I can accommodate myself with some simple port redirections:

• Accessing OPNsense LAN interface on port 8081 would contact 192.168.1.254 port 80 on WAN_A interface
• Accessing OPNsense LAN interface on port 8082 would contact 192.168.1.1 port 80 on WAN_B interface
• Accessing OPNsense LAN interface on port 8083 would contact 192.168.1.101 port 80 on WAN_B interface
• ...

But the "Firewall: NAT: Port Forward" form does not allow specifying which interface the "target" resides on.

At first I wanted to make sure OPNsense can access the webGUI of the gateway of WAN_B/igb2 with:

Code: [Select]

curl --interface igb2 -D - http://192.168.1.1But I seems to get the OPNsense's auth form (and I'm 100% sure the gateway does not uses OPNsense ;))

Title: Re: Access WAN's subnet computers from LAN?
Post by: bartjsmit on July 17, 2017, 06:11:47 pm

Does the computer have a route back to your LAN?

Bart...

Title: Re: Access WAN's subnet computers from LAN?
Post by: CDuv on July 19, 2017, 03:51:08 pm

None of the member of WAN_A nor WAN_B have a route to LAN.

After some chat over the IRC channel it looks like I have to make sure my two WAN networks don't use the same address, it's causing too many issues (like this one maybe).

The way NAT is working, the interface that chosen to access NAT target is determined using the routing table, it cannot manually be chosen.

I've been granted access to change at least one my WAN network address, so this should not be an issue anymore...