Firewall newbie needs your expertise

OrgImp · September 2, 2023, 10:27am

Hi All,

i have to seperated lans and i want to give access a TV access to my media box.
TV 192.168.1.2 is connected to the ISP Device 192.168.1.1.

On that ISP Device (192.168.1.1) is my Turris (192.168.2.1) connected.
On the ISP I have a static route from 192.168.2.0 to 192.168.2.1

My NAS (running PlexTV 192.168.2.2) is connected to the Turris.

When i want to stream a video, my TV-APP-PlexTV say that I am not connected to my NAS directly (sure other IP range) and therefore it downstream the quality.

So supid question:
What do i need to do, to give my TV direct access to my NAS.
All devices has a static IP.

Thanks a lot.
Ozzy

cocturr · September 3, 2023, 12:42am

so your ISP device does routing and your Turris one is just a switch, right?

OrgImp · September 17, 2023, 10:35am

Hi,
well both running as router.
but with different ip range.

peci1 · September 17, 2023, 12:54pm

Is the turris connected vis WAN port or LAN port?

OrgImp · September 20, 2023, 10:21am

@peci1 its connected by wan port

I drawed a similar diagram
In the basic FW settings i can ping for example from the ipad (connected by wifi) to the turris. but i can not connect to it by http.
the static route is configured on the ISP

peci1 · September 20, 2023, 10:58am

Multiple things are weird.

You shouldn’t be able to access reforis via WAN port (i.e. from ipad). However, if you’ve enabled honeypots, there might be a fake server running on the WAN port on :80 and :443.

If you need your TV to access NAS, it would mean allowing all required protocols to pass through the WAN zone firewall. You would have to figure out which protocols are needed (it might be multiple - discovery, data transmission etc.).

Maybe the cleanest solution would be to move the WAN port from WAN firewall zone to LAN firewall zone. But then you’d lose all the security features provided by Turris (which you apparently don’t need if you connect your ipad to ISP).

OrgImp · September 20, 2023, 11:20am

Hi @peci1
regarding the ipad, this was just for an example to test.
usually only my tv and tvbox from the provider is connected to the isp router.
all other devices are connected to turris. as u mentioned for security reasons.

the question is, how do i need to set up a rule, that a specific IP (TV 192.168.1.2) can connect (every port open for the first test) to my nas.

could you please share me a rule example?

thank you.

peci1 · September 20, 2023, 12:12pm

Something like this?

OrgImp · September 20, 2023, 12:46pm

Thank you. I will try this on the weekend. But on my last attempt i did it like that and it was not working.
Thanks a lot for you help