Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
Allow Wan traffic to Lan
« previous
next »
Print
Pages: [
1
]
Author
Topic: Allow Wan traffic to Lan (Read 10182 times)
iyassamy
Newbie
Posts: 5
Karma: 0
Allow Wan traffic to Lan
«
on:
August 10, 2017, 02:20:59 pm »
Hello everyone
I am new to OPNsense
Can anyone tell me how to allow traffic from WAN to LAN
I have set firewall rules to allow it
Disable the NAT
But I still can't ping a host on the LAN
Can someone tell me how it is done. ?
«
Last Edit: August 10, 2017, 02:28:09 pm by iyassamy
»
Logged
Ciprian
Sr. Member
Posts: 284
Karma: 50
Re: Allow Wan traffic to Lan
«
Reply #1 on:
August 10, 2017, 03:04:53 pm »
Be aware that OPNsense does NAT by default regarding traffic between internal (LAN/ OPT) interfaces and external (WAN) interfaces, so disabling the NAT is necessary but not sufficient: you would need ROUTE entries for your internal IPs in order to reach them from WAN (supplementary to FW rules -- as FW rules do not replace route rules).
Think of it as there are 2 different "gardians" on OPNsense, one being the router, and the other being the firewall: they both have to know where your packets are intended to, and to agree to direct (the router)/ permit (the firewall) those packets.
More then this, your internal IPs
HAVE
to be
public
IPs, as RFC 1918 private IPs are not routable over the internet/ WAN -- private IP ranges are simply dropped on routers over the internet. If you do have private IPs, your
only option is to NAT/ Port-Forward
them in order to reach them from WAN.
Logged
iyassamy
Newbie
Posts: 5
Karma: 0
Re: Allow Wan traffic to Lan
«
Reply #2 on:
August 10, 2017, 03:18:15 pm »
Thank you for your quick reply. and your detailed explanations, much appreciated.
What I want to achieve is to set the OPNsense as an internal firewall.
I will be between a web-server and a database server, and it won't be connected to the internet.
Logged
Ciprian
Sr. Member
Posts: 284
Karma: 50
Re: Allow Wan traffic to Lan
«
Reply #3 on:
August 10, 2017, 05:34:56 pm »
If you mean to use OPNsense as an internal
router
, then do as in the attached image
Logged
iyassamy
Newbie
Posts: 5
Karma: 0
Re: Allow Wan traffic to Lan
«
Reply #4 on:
August 10, 2017, 06:11:52 pm »
Still can't ping hosts from ""wan"" subnet
From ""lan"" subnet no issue
If it helps here are some screen shots
«
Last Edit: August 10, 2017, 08:12:21 pm by iyassamy
»
Logged
iyassamy
Newbie
Posts: 5
Karma: 0
Re: Allow Wan traffic to Lan
«
Reply #5 on:
August 10, 2017, 08:13:15 pm »
..
Logged
iyassamy
Newbie
Posts: 5
Karma: 0
Re: Allow Wan traffic to Lan
«
Reply #6 on:
August 10, 2017, 08:13:43 pm »
..
Logged
Crab
Newbie
Posts: 7
Karma: 0
Re: Allow Wan traffic to Lan
«
Reply #7 on:
March 12, 2019, 11:03:51 pm »
Not sure anyone is viewing this topic.. I’ve posted nearly the exact same issue..
It is not true that routers will not route Private IP traffic. Sure, if you have routers on the Internet they will only pass public IP traffic, but in educational settings, we are using lots of Cisco gear that routes private IPs just fine. In the situation in this thread, I have found disabling the firewall will cure the issue, but then you have no firewall. However, this proves the routing is working just fine.
The problem is that the solicited return traffic from the LAN seems to be dropped. I haven’t put a packet inspector on the LAN side to gather more data to see exactly what is happening. But it seems that if traffic is originated from the WAN side, it won’t get returned. If it is originated from the LAN side, things work fine. It appears to be strictly a firewall issue, as disabling packet filtering cures the issue.
So I don’t see a solution in this post. I don’t believe the answer given is valid in this context. It is quite common inside large organizations to use private IP addresses between sub-orgs and want to have a security appliance; and it is great for educational labs where one is testing the appliance.
Dave
Logged
Crab
Newbie
Posts: 7
Karma: 0
Re: Allow Wan traffic to Lan
«
Reply #8 on:
March 12, 2019, 11:12:29 pm »
Yes.. Internal IPs. DO NOT have to have public IPs.. Although the “Internet” rules/policies state private IPs are not allowed on the Internet, it requires ACLs and other mechanisms to specifically filter them out at the ISP level. Routers will route ANY addresses just fine.
Logged
micmh4ck
Newbie
Posts: 1
Karma: 0
Re: Allow Wan traffic to Lan
«
Reply #9 on:
May 03, 2021, 06:44:40 pm »
Hello,
I was facing the same issue, and i was able to fix it by adding a floating rule as follow :
Protocol : ICMP
Source: WAN net
Destination: LAN net
You can then add an other rule for the protocol you want to allow.
My outbound NAT is set to Hybrid, but i have no manual rules, so it's the same as automatic
Note that floating rules applied to every interfaces, so you don't have to repeat this rules on the WAN interface.
Hope it helps
Micmh4ck
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
Allow Wan traffic to Lan