How to allow traffic from WAN to LAN networks?

[achocolada]

Hi everyone,

I need to allow traffic from WAN networks to LAN networks. I already add firewall to allow it, but it is still failed.
Is there anyone have a solution for this?
Thank you guys :)

[Patrick M. Hausen]

Is this a standard NAT setup? Public IP on WAN, private network on LAN?

If yes you need to look at Firewall > NAT > Port Forwarding for inbound connections.

[achocolada]

Is this a standard NAT setup? Public IP on WAN, private network on LAN?

If yes you need to look at Firewall > NAT > Port Forwarding for inbound connections.

Hi Patrick, thank you for your answer,

Actually I dont set NAT for this, I set WAN Firewall to allow all traffic fwom WAN net to LAN net instead.
I need to allow traffic from WAN to LAN network because I want the user from other office(connected by any WAN connection) able to connect to Head Office(where the OPNsense sits) specific LAN address.

[Patrick M. Hausen]

Is the LAN a private network, i.e. one of 192.168.0.0/16, 172.16.0.0/12 or 10.0.0.0/8?

If yes, this does not work the way you think it does, because these networks are not routed across the Internet. To connect two locations you need to set up a VPN.

[ricksense]

Is the LAN a private network, i.e. one of 192.168.0.0/16, 172.16.0.0/12 or 10.0.0.0/8?

If yes, this does not work the way you think it does, because these networks are not routed across the Internet. To connect two locations you need to set up a VPN.

First of all, is your WAN IP public or private?

[achocolada]

Is the LAN a private network, i.e. one of 192.168.0.0/16, 172.16.0.0/12 or 10.0.0.0/8?

If yes, this does not work the way you think it does, because these networks are not routed across the Internet. To connect two locations you need to set up a VPN.

Yes, the LAN ip address is using privae network.
My objective is not to establish 2 location using VPN or another way, but I want to make the connection from outside OPNsense can reach the network behind the OPNsense which is the LAN network.
With the topology as follos:
Edge Router --> (WAN port)OPNSENSE(LAN port) --> Local Devices

I want to able to ping the Local Device from Edge Router.

[achocolada]

Is the LAN a private network, i.e. one of 192.168.0.0/16, 172.16.0.0/12 or 10.0.0.0/8?

If yes, this does not work the way you think it does, because these networks are not routed across the Internet. To connect two locations you need to set up a VPN.

Yes, the LAN ip address is using privae network.
My objective is not to establish 2 location using VPN or another way, but I want to make the connection from outside OPNsense can reach the network behind the OPNsense which is the LAN network.
With the topology as follos:
Edge Router --> (WAN port)OPNSENSE(LAN port) --> Local Devices

I want to able to ping the Local Device from Edge Router.

Oh ya for additional information, from the OPNsense terminal console I can ping the local devices.

Thank you :)

[achocolada]

Is the LAN a private network, i.e. one of 192.168.0.0/16, 172.16.0.0/12 or 10.0.0.0/8?

If yes, this does not work the way you think it does, because these networks are not routed across the Internet. To connect two locations you need to set up a VPN.

First of all, is your WAN IP public or private?

It is now public IP. Anyway I already use both public and private IP but it is same.

[meyergru]

What Patrick suggested is that you cannot reach an RFC1918 private IP from the public internet, because these are not getting routed to you at all.

With IPv4, there are only two ways you can make a connection from the outside to your private LAN:

1. You create a rule that forwards a specific port from your (public & routable) WAN IP to an IP on your (private) LAN. That is NAT (network adress translation). This will open up specific ports on specific machines only.

2. You install a VPN that enables access to your whole private LAN. It tunnels private IPs through the public internet. You can have two variants: a. Client-to-Site VPN for a road warrior setup for one client machine only or b. Site-to-Site-VPN if you want to connect two separate private LANs over the internet.


With IPv6, that is a whole different story, because then your LAN can have public IPs.

[achocolada]

What Patrick suggested is that you cannot reach an RFC1918 private IP from the public internet, because these are not getting routed to you at all.

With IPv4, there are only two ways you can make a connection from the outside to your private LAN:

1. You create a rule that forwards a specific port from your (public & routable) WAN IP to an IP on your (private) LAN. That is NAT (network adress translation). This will open up specific ports on specific machines only.

2. You install a VPN that enables access to your whole private LAN. It tunnels private IPs through the public internet. You can have two variants: a. Client-to-Site VPN for a road warrior setup for one client machine only or b. Site-to-Site-VPN if you want to connect two separate private LANs over the internet.


With IPv6, that is a whole different story, because then your LAN can have public IPs.

My need is to access the network at the main office from the branch office, not to access LAN address from public IP. The connection between the branch office and the Head office is already established using PPTP.

[Patrick M. Hausen]

Then please provide a network diagram including IP addresses.