keen_parish27

Same as your environment, the network 192.168.15.x is the Keenetic WAN, I attach Keenetic screenshot to show you my test config that show it. I have been a network engineer for 10 years, and the fact that you claim my solution is a nightmare shows that you probably don't understand it. That said, it seems that you're unwilling to accept the proposed or suggested solutions, so I will drop the matter. Good luck.

Hi Manuel, Attached you will find the configuration of my test environment with a video showing how it works with SMB access from the WAN. You will also find two PDF files with your current scenario and my suggestion. As you can see, if you propagate the VLAN from Keenetic but terminate it directly on PFsense, you can manage all the necessary rules between all LAN segments from the PFSense rules. I don't know what you mean by “huge security flaw,” but it doesn't seem like that to me at all. NAT, on the other hand, could be a security issue because it doesn't allow you to manage rules in a granular way. Let me know if all is clear for you. Kindly regards Actual Scenario.pdf Suggested Scenario.pdf Video_SMB.mkv

Sorry, Manuel, but I tested the solution myself and it works fine. As described, there are other solutions, but these require a change in architecture, which I also find to be a better solution since it centralizes firewall rule management on the pfsense firewall and eliminates the (useless) NAT performed by the Keenetic router. Best Regards

Hi Manuel, Thank you for your reply. I apologize for misunderstanding your questions. The first one is pretty simple, you just need a port forwarding rule that redirects the SMB request to Keenetic's LAN IP address (see attached example). Alternatively, you can manage it without NAT and with firewall rules and static routes. The last way to manage this environment is to pass the VLAN directly from PFSense to Keenetic and manage the firewall rules on PFSense. As for the second question, I agree with you that it is a limitation to be able to access the Keenetic device only with KeenDNS, but in most cases it is convenient. In any case, if you want to access the router via https, you can always set KeenDNS to direct mode, which will register the private IP and allow you to access the WAN with the correct domain name and a secure connection. Let me know if you have any further questions. Kindly Regards

Hi Manuel, Please share your infrastructure and configuration to help you access SMB from the Internet. However, I'd like to express my disappointment at accessing your LAN resources without a VPN... especially with a protocol like SMB. This is a real shame. Also, if you want a firewall in AP mode, access from the WAN port, and the ability to use IP instead of KeenDNS, why did you choose Keenetic and not another brand? We focus on KeeneticOS, and, as you said, many people use our router, and we haven't received any such requests. There are many open-source alternatives that can achieve excellent results, such as PFsense, OPNsense, OpenWRT, etc.

Also, you need to configure some rule to enable NAT and private security-level of wireguard segment. https://help.keenetic.com/hc/en-us/articles/360010551419-Internet-access-through-a-WireGuard-VPN-tunnel

Hi, you need to configure a new line with the correct parameters, as Freecall send to you. I leave you an example attached. BR R