Firewall newbie needs your expertise

Hi All,

i have to seperated lans and i want to give access a TV access to my media box.
TV 192.168.1.2 is connected to the ISP Device 192.168.1.1.

On that ISP Device (192.168.1.1) is my Turris (192.168.2.1) connected.
On the ISP I have a static route from 192.168.2.0 to 192.168.2.1

My NAS (running PlexTV 192.168.2.2) is connected to the Turris.

When i want to stream a video, my TV-APP-PlexTV say that I am not connected to my NAS directly (sure other IP range) and therefore it downstream the quality.

So supid question:
What do i need to do, to give my TV direct access to my NAS.
All devices has a static IP.

Thanks a lot.
Ozzy

so your ISP device does routing and your Turris one is just a switch, right?

Hi,
well both running as router.
but with different ip range.

Is the turris connected vis WAN port or LAN port?

@peci1 its connected by wan port

I drawed a similar diagram
In the basic FW settings i can ping for example from the ipad (connected by wifi) to the turris. but i can not connect to it by http.
the static route is configured on the ISP

B8AB4C18-9F59-4D0A-94A5-027F7428BC413928×2238 116 KB

Multiple things are weird.

You shouldn’t be able to access reforis via WAN port (i.e. from ipad). However, if you’ve enabled honeypots, there might be a fake server running on the WAN port on :80 and :443.

If you need your TV to access NAS, it would mean allowing all required protocols to pass through the WAN zone firewall. You would have to figure out which protocols are needed (it might be multiple - discovery, data transmission etc.).

Maybe the cleanest solution would be to move the WAN port from WAN firewall zone to LAN firewall zone. But then you’d lose all the security features provided by Turris (which you apparently don’t need if you connect your ipad to ISP).

Hi @peci1
regarding the ipad, this was just for an example to test.
usually only my tv and tvbox from the provider is connected to the isp router.
all other devices are connected to turris. as u mentioned for security reasons.

the question is, how do i need to set up a rule, that a specific IP (TV 192.168.1.2) can connect (every port open for the first test) to my nas.

could you please share me a rule example?

thank you.

Something like this?

image900×630 49.3 KB

Thank you. I will try this on the weekend. But on my last attempt i did it like that and it was not working.
Thanks a lot for you help

Hi @peci1,

finally i got time to test it. but it does still not work.

here are my setting.

FW-Basic-setting1083×915 85.1 KB

Turris-nat-rules1091×506 71.8 KB

Turris-port-fw1037×480 78.4 KB

BCP-basic-settings1083×921 92.3 KB

Test-IPad-2-Turris977×695 97.8 KB

my Ipad is connected on the IPS Router 192.168.1.1 with the IP 192.168.2.151
Ping from IPad to Turris is working, but not the web access.

Maybe the screenshots from the turris will help.
I do not understand the BCP blocked IP with 192.168.0.0/16…

What are you accessing? Luci or Reforis? These are normally only open in LAN, so if you come to them from the WAN zone, you won’t get anything.

If ping works, the connection configured correctly. The other thing is whether an app will open its ports to the WAN interface.

the web page of turris. so where i can choose to login to luCI or reForis.

i guess i found the issue.
at the main FW setting i set WAN to “reject” as ACCEPT.
Result: every Device could connect to NAS

then I set a FW. Blocked everything
AND
set a FW access WAN to LAN from TV IP 1.10 to NAS IP 2.10
Now TV can access and other dont.

Oh, right. If your Turris is actually not the Internet-facing device, it makes sense to just allow any connection from WAN. I wonder if the dynamic firewall Sentinel would still work in such case (I think yes, but that would have to be confirmed).

Yes, the Sentinel dynamic firewall will work because its blocking rule is at the first position of the zone_wan_forward chain. Any other rules are examined after it.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.