[SOLVED] How to access LAN from WAN

[EKinox09]

Hi all, i have an extremely simple question: How to access LAN from WAN ?
I'm setting up OPNSense firewall; it's freshly installed on a Proxmox server, with 2 RJ45 interfaces bridged.
By default, the FW rule allow my LAN computers to access WAN and internet. Perfect.
I'm setting up my LAN (10.0.0.x) and; for a moment, i need to access my whole LAN from my WAN (all IP and all protocols, ping).
May you explain me how to do ?

Here is my configuration:
Internet<----->[PublicIP]Box[192.168.2.1]<-----WAN(DHCP from Box)----->[192.168.2.134]OPNSense[10.0.0.1])<-----LAN(DHCP from OPNSense)----->Computers, etc...

I've seen example on the forum/net, forum FAQ/Tutorial, and done the following without success:
- "Block private networks" unchecked on the WAN Interface
- Disable NAT (NAT/Outbound set to manual or disable)
- Set up a FW WAN rule (pass-in-Protocol:IPv4*-Source:WAN net-Port:*-Destination:*)
- Set up the gateway of the computer I use to 192.168.2.134 (WAN IP of OPNsense)

Thanks for your help.

[hbc]

The question is: what do you mean with wan?

Just the subnet on wan side 192.168.2.0/24 to access 10.0.0.0/24 or do you mean external public addresses on internet?
And what is "Box"? Other router, DSL-modem, ...?

Do you use double-NAT or routing between internet and OPNsense? Do you want to expose single ports to internal servers or complete access to all lan clients? First needs port forwarding, last VPN.

Conclusion: without knowing the exact goal, it's hard to help.

[EKinox09]

Thanks for helping me.
I call WAN the WAN side of OPNSense (the part of the network called WAN in the description of my configuration; the 192.168.2.0/24 subnet).
The box is a Bell DSL-modem giving access to Internet and providing DHCP on the 192.168.2.0/24 subnet.
I have a laptop on this subnet 192.168.2.0/24 and what to allow it to access to computers on the 10.0.0.0/24. Access means i would like to ping them, to access via SSH, HTTP, HTTPS. If i understand your answer, i need to set up a VPN in order to access to the whole 10.0.0.0/24 subnet. I thought there was an OPNSence configuration allowing to do that more easily.

[hbc]

VPN was the way if you want complete external access. Since you just want access from 192.168.2.0/24, there is easier setup.

Be sure OPNsense does no NAT. You just need need NAT to internet and this will do your Bell modem I guess. Then disable the block private networks option on OPNsense wan interface.
Then setup your access rules on wan interface.

Now the important stuff that I think you missed: default route

What route uses your laptop? I guess 192.168.2.1. Since your laptop does not know the 10 network, it will use it's default gateway - the Bell DSL modem. And your modem does not know 10 network either. So it will route into internet and your provider discards RFC1918 packet or your modem already does.

So our have 2 choices:

• set a route for 10.0.0.0/24 on your laptop that directs to 192.168.2.134/32
• set a route for 10.0.0.0/24 on your modem that directs to 192.168.2.134/32

If just your laptop needs access, a route on your laptop is the best. If there are other devices in 192.168.2.0/24 network that shall have access to 10 network, your modem is better choice.

Edit:
Just saw that you already tried to set route on laptop. So it should work. Make sure your network masks are correct.

route add -p 10.0.0.0 mask 255.255.255.0 192.168.2.134

[EKinox09]

"Be sure OPNsense does no NAT" ==> What i have to do in OPNSense ?
"disable the block private networks option on OPNsense wan interface" ==> Done (it was already the case)
"What route uses your laptop?" ==> The laptop has 192.168.2.134 as gateway.

Here are the IP (wifi) parameter of my laptop:
   IP: 192.136.2.24
   Subnet mask: 255.255.255.0
   Default gateway: 192.168.2.134
   DNS: 192.168.2.134 and 8.8.8.8

Here are the OPNSence parameters:
Interface LAN:
   10.0.0.1/32
   DHCP 10.0.0.0/24
Interface WAN:
   192.168.2.134/32
   Gateway "AutoDetect" (Set to 192.168.2.1 during OPNSense installation)
   "Block private networks" unchecked
Firewall LAN: 1 rule:
   pass-in-Protocol:IPv4*-Source:LAN Net-Port:*-Destination:* (Default OPNSense rule)
Firewall WAN:
   pass-in-Protocol:IPv4*-Source:WAN Net-Port:*-Destination:LAN Net
NAT:
   Port Forward: Interface:LAN-Proto:TCP-Source:*-Destination:LAN Adress-Ports:80,443 (Default OPNSense Anti-Lockout Rule)
   Outbound: Automatic

(OPNSense has been rebooted with these parameters)

Result:
   -  Subnet 10.0.0.0/24 access internet correctly. One question: If i disable NAT Outbound, there is no more internet; i've understood that with "Block private networks" unchecked, there was no need to NAT. Then, why i need NAT Outbound in order to give access to Internet from the LAN ?
   - My laptop still don't have access to 10.0.0.0/24 (ping, HTTP or HTTPS). No progress unfortunately.

[hbc]

One more question: is this modem really just a modem or does it act as router? Can the laptop in 192.168.2.0 network use it directly as internet gateway or not?
If it just acts as modem and is controlled by OPNsense, then of course the sense must do the NAT. But why would somebody put a laptop between sense and modem?

The last modem I used was 56k and serial attached. Then I just used routers. So I'm not familiar why there are devices between modem and firewall.

[EKinox09]

The modem is an Bell HUB 3000 Modem that provide internet to the house. It acts as router and provide 192.168.2.0/24 subnet to the whole house (RJ45 and Wifi).
I'm just setting up the OPNSense firewall; for the moment, major part of my devices are on this subnet (192.168.2.0/24)(the laptop is still on this subnet); progressively, once the OPNSense will be parametered correctly, i will migrate my devices to the "LAN" side of the OPNSence (10.0.0.0/24).
At this time, i will see if i can "bridge" the modem but i don't think this option is available on this model. But, this will be in some weeks... Now, i would like to be more familiar with OPNSense and it's not the case since i'm not even able to grant access of my devices on the 192.168.2.0/24 to the 10.0.0.0/24....

[hbc]

If your modem acts as router and does NAT and your clients behind OPNsense shall have internet, you need to set the route on your modem. Your modem sees the 10 network as source, NAT it and then does not know where to send the answer to 10 network.

[EKinox09]

The devices "behind" OPNSense have already access to Internet. No issue with that with the default/factory configuration of OPNSense.
I would like to access from my laptop, located "between the modem and OPNSense", on the 192.168.2.0/24 subnet, to access devices "behind" OPNSense, on the 10.0.0.0/24.

[hbc]

Hmm, ok. I'm out. I don't understand what you want or did.

You wrote:

If i disable NAT Outbound, there is no more internet

Now suddenly they have internet access without NAT.

So just keep everything like it is, connect your modem directly via cross over cable to OPNsense wan and all clients behind. Works

[EKinox09]

I've tried to explain and give as much detail as i can. Sorry if it's still not clear enough.

The devices on the 10.0.0.0/24 subnet (LAN side of OPNSense) have Internet; with the default factory of OPNSense; this is not an issue or something i want to solve. Regarding my question on the NAT Outbound, it was only a question in order to undestand the way OPNsense worked.

What i want to do is access from my laptop (located on the 192.168.2.0/24 subnet (the "WAN" side of OPNsense)) to the devices located on the "LAN" side of OPNsense (10.0.0.0/24 subnet).
I understand it's not usual, i should have no device between my ADSL Modem and OPNsense (on the 192.168.2.0/24 subnet), but i'm configuring it, and, for a moment, i have this need. The target will be to have all my devices on the LAN side of OPNsense. And i need this access to all the devices i have on the LAN and for the main protocols (ping, HTTP, HTTPS, SSH).

Hope it's more clear. Thanks for your time.

[EKinox09]

Hmm, ok. I'm out. I don't understand what you want or did.

In fact, the main problem was coming from the route; my low knowledge on network make me mix the "route" (you've asked me to create) and the gateway of the computer (what i've changed). And the command you've proposed needed to be launched with admin rights.
So, your advices were good. Thank you.

I will post the solution as conclusion.

[EKinox09]

IMPORTANT: The following parameters allow to access LAN from WAN. Use with caution.

Here is the solution and my understanding:
   - Allow access from WAN:
      Interfaces / WAN: Uncheck "Block private networks" => Without this, OPNsense do not consider private/LAN adresses coming from the WAN. In my case, i have a 192.168.2.0/24 based network as WAN; so, if i don't want to be blocked, i need to uncheck
   - Access LAN from WAN:
      Need to set up a FW rule: WAN-pass-in-Protocol:IPv4*-Source:WAN Net-Destination:LAN Net
   - Make the computer/laptop on the WAN aware of the 10.0.0.0 network:
      Need to set up a route to the OPNsense WAN IP for accessing the LAN Network: route add -p 10.0.0.0 mask 255.255.255.0 192.168.2.134 (command for windows, done in a "cmd" windows launched with admin rights
   
Now the LAN is reacheable from the WAN.

   - Ping OPNsense WAN address:
      By default, OPNsense do not answer to a ping from WAN. I had difficulties to be sure if the IP was configured correctly. So, in order to have OPNsense answering a ping from WAN, i had a firewall rule: WAN-pass-in-Protocol IPv4 IMCP-Source:WAN Net-Destination:WAN Address (Wan address represent the WAN address of OPNsense)
   - Access OPNsense GUI from WAN:
      If you want a computer to access the OPNsense GUI from the WAN, setup the following rule: WAN-pass-in-Protocol:IPv4 TCP-Source:IP of your computer-Destination:This firewall-Port:443(HTTPS)

Hope it helps.

[gigo90]

Hi All   

I use this post to avoid to open a new one(hope this is not a problem), cause i would like to do the opposite, i'll try to explain.

I have a pci-e  VDSL modem (drytek Vigornic) and i set it as PPPOE WAN connected to my ISP. Since this card has a integrated web page, i need to reach it from the LAN.  WAN interface (re0) has 192.168.1.x/24 class and LAN interface has 192.168.2.x/24 class;  I tried with a bridge rule, but it's not working. 


Thanks

[Naruto98]

IMPORTANT: The following parameters allow to access LAN from WAN. Use with caution.

Here is the solution and my understanding:
   - Allow access from WAN:
      Interfaces / WAN: Uncheck "Block private networks" => Without this, OPNsense do not consider private/LAN adresses coming from the WAN. In my case, i have a 192.168.2.0/24 based network as WAN; so, if i don't want to be blocked, i need to uncheck
   - Access LAN from WAN:
      Need to set up a FW rule: WAN-pass-in-Protocol:IPv4*-Source:WAN Net-Destination:LAN Net
   - Make the computer/laptop on the WAN aware of the 10.0.0.0 network:
      Need to set up a route to the OPNsense WAN IP for accessing the LAN Network: route add -p 10.0.0.0 mask 255.255.255.0 192.168.2.134 (command for windows, done in a "cmd" windows launched with admin rights
   
Now the LAN is reacheable from the WAN.

   - Ping OPNsense WAN address:
      By default, OPNsense do not answer to a ping from WAN. I had difficulties to be sure if the IP was configured correctly. So, in order to have OPNsense answering a ping from WAN, i had a firewall rule: WAN-pass-in-Protocol IPv4 IMCP-Source:WAN Net-Destination:WAN Address (Wan address represent the WAN address of OPNsense)
   - Access OPNsense GUI from WAN:
      If you want a computer to access the OPNsense GUI from the WAN, setup the following rule: WAN-pass-in-Protocol:IPv4 TCP-Source:IP of your computer-Destination:This firewall-Port:443(HTTPS)

Hope it helps.

Hello everyone, I followed this guide, but I'm unable to ping the IP address of the computer on the LAN.
Does anyone know why it's not working?

Thanks in advance.