Make LAN hosts available to via WAN

jpo68203 · November 11, 2024, 12:51pm

Hi *.

This setup is definitely unusual, but maybe someone can help. I have a mAP Lite configured with a separate Wi-Fi network for all the “not-so-smart” devices that need internet access. These devices are tunneled outside my public IP via AWS and don’t have access to my “real” LAN. Now, what I need is to be able to access those devices from the “real” LAN to their “fake” LAN.

real LAN: 10.9.4.0/24
pfSense LAN: 10.9.4.1
mAP WAN IP: 10.9.4.251

mAP LAN: 192.168.66.0/24
map LAN IP: 192.168.66.1 (of course)

I’ve added a static route in pfSense to 192.168.66.0/24 via 10.9.4.251, and it seems all packets are directed there correctly. However, I’m struggling with dstnat on the mAP. No matter what I try, I keep receiving ICMP unreachable errors.

12:47:26.172134 IP (tos 0x0, ttl 64, id 49622, offset 0, flags [none], proto ICMP (1), length 84)
    10.9.4.1 > 192.168.66.97: ICMP echo request, id 53344, seq 2, length 64
	0x0000:  4500 0054 c1d6 0000 4001 a7bf 0a09 0401  E..T....@.......
	0x0010:  c0a8 4261 0800 2f6a d060 0002 0006 ab2e  ..Ba../j.`......
	0x0020:  14a3 4d58 0809 0a0b 0c0d 0e0f 1011 1213  ..MX............
	0x0030:  1415 1617 1819 1a1b 1c1d 1e1f 2021 2223  .............!"#
	0x0040:  2425 2627 2829 2a2b 2c2d 2e2f 3031 3233  $%&'()*+,-./0123
	0x0050:  3435 3637                                4567
12:47:27.142028 IP (tos 0xc0, ttl 64, id 32097, offset 0, flags [none], proto ICMP (1), length 112)
    10.9.4.251 > 10.9.4.1: ICMP host 192.168.66.97 unreachable, length 92
	IP (tos 0x0, ttl 63, id 42328, offset 0, flags [none], proto ICMP (1), length 84)

I’d appreciate any help or suggestions—thanks in advance!

kleshki · November 11, 2024, 1:24pm

You should add the reverse route 10.9.4.0/24 via 192.168.66.1 on map. Then you don’t need dstnat at all

jpo68203 · November 11, 2024, 1:38pm

Isn’t 192.168.66.1 already a default route for all map clients? Also wouldn’t it conflict with default WAN route 10.9.4.0/24 from the ether1 interface?

kleshki · November 11, 2024, 2:20pm

My bad, meant wrong thing. The device should be accessible from another network, if it has gateway configured properly (i.e. 192.168.66.1 for all IoT stuff behind mAP). Another suggest is why you can’t just bridge ether1 and wlan1 to have all management on pfsense?

jpo68203 · November 11, 2024, 2:41pm

Using bridge mode would place all my IoT devices on my LAN, which is exactly what I’m trying to avoid. I want a separate network for all those garbage devices while still being able to access them. Sure, I could place a WiFi client in that network and access it that way, but that feels like a workaround. I feel like I should be able to achieve this with the mAP.

kleshki · November 11, 2024, 3:02pm

Use VLANs to separate devices on a single bridge. Pretty sure you can manage all VLAN stuff on pfSense, which would be a nice centralized solution