On 10/16/25 12:28, Roy J. Tellason, Sr. wrote:
This isn't strictly debian-related, so if there's a better place for this feel
free to point me at it and I'll try there...
Back when my LAN was a workstation and a DSL modem, and a bit later on a
routher/firewall was added, and a server, then later on a second workstation. Wifi
was an old (now older and very flaky) AP. These days wifi is also provided by the
"modem" (Hugesnet, who is completely useless for help on this) and it's dual
band and seems overall faster.
The problem is when I'm using that wifi I have no access to my local server, I
can only get to it by way of the old flaky AP that's internal to the LAN.
Particulars: The "modem" is 192.168.1.1, the WAN side of the router is
192.168.1.2, the server on the other side of the router is 192.168.0.1, and the
workstations get DHCP addresses assigned when they connect, as do any devices (a couple
of phones and a tablet) that connect to the wifi. Is there any simple way to get that
external wifi to point to my internal server when a 192.168.x.x address is used?
Assuming the following network diagram:
Internet (WAN)
|
???.???.???.???
Modem/Router-----------Modem/AP
192.168.1.1 ???.???.???.???
|
+-192.168.1.0/24 (DMZ)
|
192.168.1.2
Router/Firewall
192.168.0.???
|
+------------192.168.0.0/24 (LAN)-------------+
| | | |
192.168.0.1 192.168.0.??? 192.168.0.??? 192.168.0.???
Server Workstation 1 Workstation 2 Old AP
If you want traffic entering via the Modem/AP to reach LAN hosts (e.g.
Server and workstations), then you need to:
1. Configure the Modem/Router to route Modem/AP incoming packets with
LAN destination addresses to the upstream side of the Router/Firewall.
This could be called "forwarding" or something else, depending upon the
Modem design and Modem management interface.
2. Configure the Router/Firewall to route upstream incoming packets
with LAN destination addresses to the LAN. This could be called
"firewall pinholes" and "forwarding" (you need both), or something else,
depending upon the Router/Firewall design and Router/Firewall management
interface.
Another topology is to put the server on the DMZ segment. Routing
incoming connections from the WAN, Modem/AP, or LAN to the server is
simpler, and the LAN hosts have protection if the server gets hijacked.
In the past, I had a similar router-behind-router network configuration
with a LAN AP. Connecting to, and maintaining connections to, the three
web management interfaces for the three individual devices -- ISP
router, internal router, and LAN AP -- while configuring network
settings was tedious, as was keeping all the settings matched.
I replaced the internal router and LAN AP with Ubiquiti Network "UniFi"
products. The key is the UniFi controller daemon, which you will need
to install on a server that is visible to all of the UniFi devices (I
rent a VPS at linode.com). Once the ISP router is configured to send
everything to the UniFi internal router, the benefit is "software
defined networking" -- e.g. one web management interface that allows the
netadmin to think at the network level; the daemon communicates with the
individual devices and manages the details. This becomes even better
when you add more UniFi products (switches, AP's, cameras, etc.), and
especially when you add more sites. While UniFi products are commercial
and proprietary, my devices are Linux on the inside and tech support has
guided me with troubleshooting difficult issues over SSH and/or a serial
console.
TIMTOWTDI
David
