keen_parish27

Hi Vadym, Please write to the support team, who will help you investigate the issue. support@keenetic.de

Good Morning Ilker, We apologize for the delay in responding. That said, this is a forum, not a support platform. Thanks for reporting the issue and the configurations to resolve it. In my previous tests, it was not necessary to explicitly send the “ip nat Chilli0” command, but we have not yet performed tests in an environment similar to yours, with the UAM server in another LAN segment. As for the firewall rule, the behavior is expected. Traffic between different segments is denied by default, so if you need to reach a resource in another segment, you must add a rule that accepts the traffic.

Hi, It depends. Currently, it's not possible to have two different ISPs on the same port. If you need different services on different VLANs, refer to the attached screenshot for instructions.

Hi, This behavior is expected at the moment. We plan to add DNS routing to policies in KeeneticOS 5.1. Keep an eye at the changelog on our website, and thanks for using our devices. Have a great day

Thank you very much for your work. I'm sure the community will appreciate your efforts! I certainly appreciate it.

Buongiorno, per una problematica del genere conviene scrivere al supporto, che sarà in grado di aiutarti. Puoi aprirlo dal sito web o mandando una mail a supporto@keenetic.it. Consiglio di allegare anche un self-test e spiegare bene la situazione, magari con qualche screenshot.

Hi George, I confirm that it is possible to use the new segments on the mesh nodes as well. Have you created and marked all VLANs on the ports of the D-Link switch and on the uplink of the KN-2710 connected to the switch? Regards

Same as your environment, the network 192.168.15.x is the Keenetic WAN, I attach Keenetic screenshot to show you my test config that show it. I have been a network engineer for 10 years, and the fact that you claim my solution is a nightmare shows that you probably don't understand it. That said, it seems that you're unwilling to accept the proposed or suggested solutions, so I will drop the matter. Good luck.

Hi Manuel, Attached you will find the configuration of my test environment with a video showing how it works with SMB access from the WAN. You will also find two PDF files with your current scenario and my suggestion. As you can see, if you propagate the VLAN from Keenetic but terminate it directly on PFsense, you can manage all the necessary rules between all LAN segments from the PFSense rules. I don't know what you mean by “huge security flaw,” but it doesn't seem like that to me at all. NAT, on the other hand, could be a security issue because it doesn't allow you to manage rules in a granular way. Let me know if all is clear for you. Kindly regards Actual Scenario.pdf Suggested Scenario.pdf Video_SMB.mkv

Sorry, Manuel, but I tested the solution myself and it works fine. As described, there are other solutions, but these require a change in architecture, which I also find to be a better solution since it centralizes firewall rule management on the pfsense firewall and eliminates the (useless) NAT performed by the Keenetic router. Best Regards

Hi Manuel, Thank you for your reply. I apologize for misunderstanding your questions. The first one is pretty simple, you just need a port forwarding rule that redirects the SMB request to Keenetic's LAN IP address (see attached example). Alternatively, you can manage it without NAT and with firewall rules and static routes. The last way to manage this environment is to pass the VLAN directly from PFSense to Keenetic and manage the firewall rules on PFSense. As for the second question, I agree with you that it is a limitation to be able to access the Keenetic device only with KeenDNS, but in most cases it is convenient. In any case, if you want to access the router via https, you can always set KeenDNS to direct mode, which will register the private IP and allow you to access the WAN with the correct domain name and a secure connection. Let me know if you have any further questions. Kindly Regards

Hi Manuel, Please share your infrastructure and configuration to help you access SMB from the Internet. However, I'd like to express my disappointment at accessing your LAN resources without a VPN... especially with a protocol like SMB. This is a real shame. Also, if you want a firewall in AP mode, access from the WAN port, and the ability to use IP instead of KeenDNS, why did you choose Keenetic and not another brand? We focus on KeeneticOS, and, as you said, many people use our router, and we haven't received any such requests. There are many open-source alternatives that can achieve excellent results, such as PFsense, OPNsense, OpenWRT, etc.

Also, you need to configure some rule to enable NAT and private security-level of wireguard segment. https://help.keenetic.com/hc/en-us/articles/360010551419-Internet-access-through-a-WireGuard-VPN-tunnel

Hi, you need to configure a new line with the correct parameters, as Freecall send to you. I leave you an example attached. BR R