I'm trying to understand why port forwarding doesn't work on a router at a remote office and I've uncovered something strange about how guest networking works that may indicate that I have not been told the whole truth about the network.
There is a remote office in which I have a raspberry pi on a fixed ip address on a private network, lets say x.x.x.99. The primary purpose of this raspberry pi is to serve an internal web site on port 443. However because I have full control of it I've been able to set it up to allow access to various internal ip addresss in this remote office through remote ssh tunnels (I set up a service under /etc/systemd/system/. For example it starts an ssh -p <port> -Nnt -R 1234:x.x.x.1:<router port> <account>@<my home ip> where I have a router which forwards to another pi at home sshd on port 22. I'm then able to run a browser at home to my http://<home-pi>:1234 and access the routers management interface.
As a result I can access the router and port forward 80 to my raspberry pi and then run tcpdump -i eth0 port 80 to dump traffic at port 80 (except nothing arrives).
However I did a little test where I got someone in the remote office to connect their phone to the guest wifi and tell me the ip address. They got x.x.x.60 (can't remember the exact value, but it was on the main office subnet). I then asked them to use their browser to access the main web site on my raspberry pi. They could not reach it, although they could get out to the external network.
Now immediately downstream of lan side of the router is a 48 way switch which I've been told is un-managed and downstream of that is a ubiquity access point plugged into one of its ports (an my raspberry pi is plugged into another port).
So I asked the guy who set up the router how this works. He said he didn't know but its all handled by the ubiquity access point.
But how does that work? Packets arriving at the switch from ubiquity would be immediately sent to my raspberry pi. Does the ubiquiti have some form of firewall which recognises the request is to the same sub-net and prevents it even leaving the access point? But then again the ip address appears to have been successfully retrieved from the local dhcp server (on x.x.x.10)
One other strange occurrence which I cannot explain. The whole long term purpose of this port forwarding is to set up a Synology NAS on a fixed ip x.x.x.15 and that is where ultimately these ports are to be forwared to.
A few weeks ago I mistakenly plugged them into a switch which was being used by some of the office equipment. The unit disappeared from the rest of the office and could no longer be seen. It wasn't until I came back to it and connected into a known part of the network that it appeared again. This office equipment should have had ip-addresses in the x.x.x.0/24 sub-net (the dhcp server had reservation for them) but I have no actual knowledge that they did have those addresses. To me that indicates the use of vlans somewhere. Is there another explanation?
