Routing between two directly connected PFsense servers
-
Hello, I decided to join after beating my head against a wall for a bit today and thought this would be a good intro to the forum.
I've got a situation where I've got two Pfsense boxes with 3 interfaces each. Each one has their own internet connection and their own LAN subnet. I added the 3rd interface to each with the hopes that I could use that to 'link' the two boxes together and allow for some static routing between the two.
For the sake of this we'll do this.
Pfsense1
WAN: Comcast
LAN: 192.168.1.1/24
OPT1: 172.16.20.1/24Pfsense2
WAN: Comcast
LAN: 10.1.1.1/24
OPT1: 172.16.20.2/24My ultimate goal would be to allow workstations from 10.1.1.1/24 access on a specific port to a server on 192.168.1.1/24 (how bout 192.168.1.50).
To test all of this before implementing I configured two brand new installs of 2.3-release with 3 interfaces on both, configured like above.I directly connected the two OPT1 interfaces and made firewall rules to allow traffic from anywhere to anywhere (at this point).
I also created a new gateway on each on the OPT1 interface and specified the IP address of the other box's OPT1 interface IP.From PFsense I can ping the OPT1 interface of the other box, but I can't ping the LAN interface of the other box. Even adjusted firewall rules, tried making an outbound NAT rule. At this point I think i've changed so many things try to get a positive result on that test that I may just reinstall and start from scratch.
What I came here to ask was this: Can anyone point to a walkthrough, or some common steps, with this idea of directly connecting two PFsense boxes and allowing the LANs from each side to talk to each other? I can create more restrictive firewall rules later.
Thanks
-
Read and commented in this thread too basically about the same topic:
https://forum.pfsense.org/index.php?topic=115514.0
I went back to square one and started over. Still ended up with the same results. Then I restarted both instances of pfsense and upon restart I could ping the LAN subnet on the other side.I do this everytime. Beat my head against a wall and then find that rebooting solves a lot of things.
-
Would be a lot easier using a single PfSense server with 4 interfaces. Then you can simply configure Dual-WAN and Dual-LAN with routing & firewall rules as required.
Additionally both LAN segments could use the WAN's for load balancing or failover.
-
Did you add a static route to the LAN on the other pfSense?
https://doc.pfsense.org/index.php/Static_Routes
-
Don't add the gateway in the interface page. Having a gateway present there makes it assume that it's a WAN and to do NAT. Just add the gateways and static routes in System > Routing. You should be able to do internet failover between the two PFSense devices as well, simply by setting up a gateway group on each with its primary WAN as the Tier 1 and the address of the other PFSense as the Tier 2.