Problems to route traffic from WAN to LAN

Hello,
My LAN have this setup:


I want to route some traffic from WAN to LAN. Despite I have opened needed ports (53, 8006 and 8007) on router and configured port forwards, it doesn’t work. I’ve followed these instructions:

I can ping from subnet C to subnet B, but not in the other direction, I can’t ping my VM’s from subnet B to subnet C.

What could be wrong?

Thank you very much and best regards!! :grinning:

May I ask why B is WAN?

As far as I see, this is a routing only environment without a real ISP next to the WAN - so in that case WAN would not be needed, afaik.

Hello!!
In the Proxmox-1 I have a Sophos firewall, which its WAN side is connected to the ISP router and its LAN side is connected to the GL.iNet router, acting as WAN for the GL.iNet router.

Best regards!!

opkg update; opkg install nmap

1 Like

Hello!!

After doing a nmap on the router’s IP, I can’t see the ports that I’ve opened in the web gui.

This is the result:

22/tcp    open  ssh
53/tcp    open  domain
111/tcp   open  rpcbind
139/tcp   open  netbios-ssn
443/tcp   open  https
445/tcp   open  microsoft-ds
2049/tcp  open  nfs
32777/tcp open  sometimes-rpc17
32778/tcp open  sometimes-rpc19
32780/tcp open  sometimes-rpc23

This is the config done by me on the web gui and what I see in Luci:

Port Forward:

Open Ports on Router:

The only port that I can see in the captures and in the nmap result is 53/TCP, no signal of 8006 and 8007.

The pings between LAN and WAN:
image

Best regards!! :grinning:

Hello!!
Another option that I’m thinking about is to disable the firewall, I will be fine with this because I have a Sophos in the wan side of the router.

What do you think? Is it possible to do it?

Best regards!! :grinning:

What do you want to archive?

Ping is ICMP, but you forwarded TCP and UDP. This one work.
Ping sends an ICMP package to the given host, the host will answer with a ICMP pong. No port in here.

Further you are redirecting 53/TCP … But DNS is per default UDP. This also wont work.

Please do yourself a favour, create a nginx reverse proxy at Proxmox-2, forward all TCP/80 to this nginx and configure the forward.
Setup the main DNS near the ISP router, and als from inside out, as the route to the internet have to be established already.

2 Likes

Hello!!
Thank you very much for your suggestion, it sounds a bit too technical for me, but I’ll take a look.

I apologize for my poor knowledge… I thought that having a Sophos firewall as main gateway behind the ISP router and opening some ports (and doing port forwards rules) in the GL.iNet router should be enough to see my VMs in the two subnets.

Best regards!! :grinning:

OP, do yourself a favor: make sure that ISP ‘link’ is a modem, just a modem; not one of these goddamn ‘all in one’ modem/router/access point POS. Contact your ISP & swap it out for a straight modem if you have to. Otherwise dig into its settings & look to put the Sophos device/router proper on the DMZ if you can’t set the ISP unit into ‘bridged mode.’

You’ll save yourself headaches in the years to come.

1 Like

No need to apologise. We all started at some time.
That’s why I suggested the Nginx Reverse Proxy. There are a lot of good howtos, how to do this in the internet.
But some kind of too complex/specialized for for this forum, maybe we’re seeing us in a proxmox forum as well :wink:

1 Like

Nginx config can be easy: NGINXConfig | DigitalOcean

1 Like

@LupusE @bring.fringe18 @admon I see that I have some homework to do…

Thank you all, best regards!! :grinning: :grinning:

1 Like

Nginx is not the problem here. It is the integration in Proxmox and the data flow plus the security.

I recommend https://nginxproxymanager.com/ for starters. But at one point it will not work for a specific task. Than you want to know how the config files work…

At start it is a good help for forward the Proxmox management frontend and other services.
If you want to manage bin http traffic, like DNS, there are routers like OPNSense as container in Proxmox. Or even a DDWRT or OpenWrt, to be nearer at Gl-Inet… Depends on the future needs.

Just keep in mind how the traffic flows. Then configure your LAN with Jumboframes (huge MTU)… So much theory.

1 Like

Sure!!

Looks very interesting!! :grinning:

Hello, me again!! :grinning:

I was thinking about all the stuff discussed in this post, I understand everything and appreciate the info, specially all the security concerns. :+1: :ok_hand:

However, there’s one thing that I don’t understand. In the router’s web gui there are two tabs: Port Forwards and Open Ports on Router.

Literally, this is what we can read:

Port Forwards:
If you have servers in your LAN subnet and want them be accessible from the WAN side,
you need to set up port forward to these servers, identified by IP addresses and ports.

Open Ports on Router:
For security reasons, the services that you install on the device are only opened to its LAN network.
If you want them to be accessible from the WAN network, you need to open ports for these services on the WAN

In my case, I only need to access from the wan side to my Pi-hole, monitor some VMs with Chechmk and do some backups from Proxmox Backup Server.

However, I don’t understand if I have configured accordingly the instructions (screenshots above), why it doesn’t work: DNS doesn’t resolve and I can’t configure a backup datastore… :thinking:

Best regards!! :grinning:

I wouldn’t expose ports or port forward to the WAN → LAN in this case. The traffic will be unencrypted on the Public Internet when it hits WAN. You’d be better off setting up a S2S over WireGuard. Ensure you set a Preshared Key (PSK) for maximum security.

This assumes your Public Internet IP is not behind CG-NAT. If your ISP confirms that’s the case, this will not work.

Side note: I would really diagram your current & desired topology if only to help those following along at home.

1 Like

Hello!! :grinning:

My public IP is in the ISP router, the typical all-in-one which acts as modem-router-switch-acces point, with no open ports and a firewall layer 4.

Behind this I have a Sophos firewall, Home Edition, and, finally, behind the GL.iNet router.

When I say “WAN”, I mean the external side of the GL.iNet router, which really is behind the mentioned before. In this subnet I have two or three VM from that I need to course some traffic to the LAN side of the GL.iNet router.

I followed the instructions, it should work but it doesn’t do. This is what I don’t understand… :thinking:

I could use also Tailscale, but, if it’s possible, I prefer no to do so. Unencrypted traffic, I’ve configured https for my internal servers.

Best regards!! :grinning:

I am not sure if this is now solved.

Port forwarding means the port is taken from WAN and forwarded to another client on the LAN side. This port does not need to be the same. You could forward [external IP]:1234 to [Lan client IP]:80 …
It is a routing thing. The WAN client dies not know about port 80 on the service, the LAN service don’t know about the use of port 1234 from the WAN.
You can’t switch from UDP to TCP, it needs to be the same on both ends.

Open ports on router is a GL-Inet thing and means the firewall on WAN will be opened to services on the router.
As the Admin panel is available at LAN:80, with open port 80 on router, the service (admin panel) will be available on WAN:80.

Hello!! :grinning:

Finally, I’ve decided to move to another solution:

I use the gl.inet router as AP+switch, and the routing is done by the Sophos. And the Sophos behind the ISP router. That’s it.

This way I don’t need anymore the 192.168.2.0/24 subnet, it simplifies the LAN, and also, I can monitor my VMs and do backups.

Best regards and thank you very much!! :grinning::grinning:

1 Like