Cannot Access LAN network from WAN Network.

[kapee]

I am a complete newbie on network so please pardon my ignorance here.

I installed OPNSense 25.7 and configured the defaults using the wizard. My OPNSense FW is behind my Router so the WAN Address is a private IP e.g. 192.168.2.106.
The gateway is 192.168.2.251 (PiHole for ad blocking). This also runs my OpenVPN (10.10.x.x) for friends to connect at times to my home network.

So the set up is as follows: ISP --> Internal Router (192.168.2.1: Gateway which has Pi Hole and OpenVPN running on the PiHole/OpenVPN) --> OpenSense FW (WAN: 192.168.2.106,  LAN: 192.168.4.1)

The Opensense LAN 1 network built on 192.168.4.x so the LAN IP would be 192.168.4.1 192.168.4.X set with DHCP on so I can get many clients connected to this network
The machines connected to the LAN 1 (192.168.4.x) can connect to the internet (no Issue here)

Issue 1: The machines on Client 1 (192.168.2.x) cannot do remote desktop or ping any machine on LAN (192.168.4.x) network. How do I fix this?
Issue 2: Some of my friends connect via VPN to my network and they get a 10.10.X.X IP and can connect to the 192.168.2.x machines. I want to make sure that they can RDP to the 192.168.4.X machines

I don't understand NAT or Port Forwarding etc. so any steps would need to be completely watered down. I have tried steps mentioned here https://forum.opnsense.org/index.php?topic=16952.0 but it did not work for me unfortunately.

Any guidance would be highly appreciated

[meyergru]

Ad issue 1: You don't. First off, OpnSense's WAN is designed to not let anything in (w/r to the posting title: "it is not a bug, it is a feature!"). While you could technically allow this via firewall rules, eliminating outbound NAT or putting in port forwarding rules, it would not help, because all of your clients on the first router's LAN (192.168.2.0/24) only know their own subnet and a gateway (the first router). That in turn does not know of the existence of the 192.168.4.0/24 subnet behind OpnSense and with most consumer routers, you cannot put the necceaary route in there. In that situation, you would at least not use a "WAN" type interface at all, but a second "LAN", using OpnSense as a LAN/LAN router. This but does not save you from having to set up routes on your intermediate network 192.168.2.0/24.

Ad issue 2: With step 1 out of the way (which you probably cannot do on your specific equipment), you would have to have a port-forwarding rule in your first router to the PC on 192.168.4.0/24, which you probably cannot do, either.

You are stuck with a router-behind-router scenario, more complicated in that you expect some clients in the intermediate network 192.168.2.0/24 to also have access to 192.168.4.0/24 (instead of just having internet access, which they do).

Adding to this, you have an even more complicated setup than usual, because you have an additional pi-hole gateway. That is quite a zoo, that you will not be able to safely handle without networking skills. There is no step-by-step guide for your specific setup and it would not be safe to do so. If you expected your network to be "somewhat more safe" because you put an OpnSense in, you are mistaken. OpnSense is a product aimed at professional use, unlike most consumer router exquipment. It is also aimed at handling the networking as the sole router, preferably.

Basically, that is referenced here, point #4, but your setup has some additional quirks.

[kapee]

Thank you meyergru. I can set it up as a LAN - LAN or even WAN - LAN with NAT or Route Updates, I just need some guidance on how to set it up that way.

[meyergru]

I already wrote that if you read between the lines:

1. Set up the OpnSense port facing the first router as a regular second LAN port (LAN2) with no NAT rules with 192.168.2.106/24.
2. Allow access from 192.168.2.0/24 as "in" firewall rules on that LAN2 interface (for whatever sort of traffic you need).
3. Set up 192.168.2.1 as the default gateway on OpnSense.
4. Set up a route to 192.168.4.0/24 with a gateway 192.168.2.106 on your first router. That will make any packets for that destination network go through OpnSense's LAN2.
5. Set port-forwarding rules for the destination IPs in "LAN" on your first router. You do not need port-forwarding rules, but only firewall rules to allow that specific traffic on OpnSense.

IDK how your Pi-Hole comes into this or how you can set the route on your router.

You can start by allowing all traffic in step 2, but then, OpnSense essentially does nothing for you. Allowing the needed types of traffic is quite a task. You can look at the firewall logs to see what traffic is blocked and then selectively allow the types you need. Even if you regulate traffic via firewall rules, you can at most protect your LAN devices, not the LAN2 ones.

That is all basic networking 101 you must be able to handle when you choose such a setup. I am not going way out through all of the details, it is all in the documentation.