GL-SFT1200 as Router forward LAN port to WIFI (not WAN)

ionh · October 9, 2024, 5:53pm

Problem statement:
I have a solar management unit (SMU) which has a static IP that I cannot change. It is located outside the house so I cannot easily hard wire it to my local network.

Baseline configuration:
I have connected the GL-SFT1200 to the management ethernet port on the SMU. With the SFT1200 configured in Router mode, I am able to connect to its WIFI and poll an API on the SMU. The WAN ethernet port is unused.

To accomplish the goal:
I configured into Multi-WAN and configured my Eero 6e network. The SFT1200 now shows up in my Eero device list with an IP address.

Set up port forwarding with source as LAN, destination as WAN, Internal IP address as the static IP of the SMU. Port is 80.

Problem:
From the Eero 6e WIFI and LAN port, I am able to ping the SFT1200 IP address as listed in the Eero device list. I am not able to call the API.

Question:
Can the SFT1200 actually forward traffic from the LAN to the Multi-WAN WIFI configured? Is my setup valid?

Hardware:
GL-SFT1200 running latest firmware: 4.3.19
Eero 6e Mesh connected to internet

hecatae · October 9, 2024, 6:54pm

Yes, what ports are required for the API of the SMU?

ionh · October 10, 2024, 1:36am

Port 80.

To add to what I stated previously. Here are my attached settings. Also, it appears the Eero 6e does not isolate non-guest network connected clients as is my configuration.

ionh · October 10, 2024, 1:40am

I also tried setting the 172.27.153.1 IP as DMZ. It did not help. I have since removed that configuration.

bpwl1 · January 9, 2025, 9:48am

I did not expect the need for port forwarding from LAN to WAN, it is allowed and is using NAT (e.g. is using the WAN port IP address). Firewall rules by default allow all access from LAN to WAN. They do not allow WAN-initiated forwarding from WAN to LAN, only replies to the initiating LAN device will be allowed.

Two reasons for that:

Firewall rule on WAN interface refusing new connections for the LAN
NAT reverse direction has to translate destination address to proper LAN address based on connection tracking (the active LAN to WAN session)

Port forwarding LAN to WAN is usefull if you want to change the WAN destination address or port in the LAN-initiated session.

Client isolation is seen to be active in the Guest wifi networks, not in the other wifi networks. It can be enabled/disabled per wifi network. (Via advanced, LuCI, Interface configuration, Advanced settings)

Here I would connect the SMU to the LAN port, with the SFT1200 LAN IP subnet adjusted to 172.27.153.0/24 or whatever the SMU expects to be part off, and has defined as gateway. The SFT1200 then should have a normal repeater/router-mode connection to the Eero 6e network. A port forwarding, or even DMZ towards the SMU LAN address 172.27.153.1 will be needed.

The Eero 6e is the remote computer, the SMU is the local computer behind the firewall in the LAN network, as a Web server.