On 10/16/25 12:28, Roy J. Tellason, Sr. wrote:
This isn't strictly debian-related, so if there's a better place for this feel free to point me at it and I'll try there... Back when my LAN was a workstation and a DSL modem, and a bit later on a routher/firewall was added, and a server, then later on a second workstation. Wifi was an old (now older and very flaky) AP. These days wifi is also provided by the "modem" (Hugesnet, who is completely useless for help on this) and it's dual band and seems overall faster. The problem is when I'm using that wifi I have no access to my local server, I can only get to it by way of the old flaky AP that's internal to the LAN. Particulars: The "modem" is 192.168.1.1, the WAN side of the router is 192.168.1.2, the server on the other side of the router is 192.168.0.1, and the workstations get DHCP addresses assigned when they connect, as do any devices (a couple of phones and a tablet) that connect to the wifi. Is there any simple way to get that external wifi to point to my internal server when a 192.168.x.x address is used?
Assuming the following network diagram:
Internet (WAN)
|
???.???.???.???
Modem/Router-----------Modem/AP
192.168.1.1 ???.???.???.???
|
+-192.168.1.0/24 (DMZ)
|
192.168.1.2
Router/Firewall
192.168.0.???
|
+------------192.168.0.0/24 (LAN)-------------+
| | | |
192.168.0.1 192.168.0.??? 192.168.0.??? 192.168.0.???
Server Workstation 1 Workstation 2 Old AP
If you want traffic entering via the Modem/AP to reach LAN hosts (e.g.
Server and workstations), then you need to:
1. Configure the Modem/Router to route Modem/AP incoming packets with LAN destination addresses to the upstream side of the Router/Firewall. This could be called "forwarding" or something else, depending upon the Modem design and Modem management interface.
2. Configure the Router/Firewall to route upstream incoming packets with LAN destination addresses to the LAN. This could be called "firewall pinholes" and "forwarding" (you need both), or something else, depending upon the Router/Firewall design and Router/Firewall management interface.
Another topology is to put the server on the DMZ segment. Routing incoming connections from the WAN, Modem/AP, or LAN to the server is simpler, and the LAN hosts have protection if the server gets hijacked.
In the past, I had a similar router-behind-router network configuration with a LAN AP. Connecting to, and maintaining connections to, the three web management interfaces for the three individual devices -- ISP router, internal router, and LAN AP -- while configuring network settings was tedious, as was keeping all the settings matched.
I replaced the internal router and LAN AP with Ubiquiti Network "UniFi" products. The key is the UniFi controller daemon, which you will need to install on a server that is visible to all of the UniFi devices (I rent a VPS at linode.com). Once the ISP router is configured to send everything to the UniFi internal router, the benefit is "software defined networking" -- e.g. one web management interface that allows the netadmin to think at the network level; the daemon communicates with the individual devices and manages the details. This becomes even better when you add more UniFi products (switches, AP's, cameras, etc.), and especially when you add more sites. While UniFi products are commercial and proprietary, my devices are Linux on the inside and tech support has guided me with troubleshooting difficult issues over SSH and/or a serial console.
TIMTOWTDI David