pfsense to usg unable to ping lan devices

eliteharbinger42

Hi,
Am new to using pfSense and have pfSense 23.05 on an SG1100 which is connected to my cable modem, the SG1100 is then connected to a Unifi USG.
The reason for this set-up is as whilst the USG can do IPS/IDS this has a big impact on the internet speed, so wanted to offload this functionality to the pfSense unit and this is effective.
Whilst all this seems to work I have an issue that from the pfsense unit I cant ping devices on the Lan behind the USG, which means that I cant direct specific traffic to some Lan devices directly.
So for example to pass the logs from the pfsense to a log server on the LAN the traffic is directed to the USG IP and from there a Firewall rule directs all 514 traffic to the log server.
The setup is:
Cable Modem(192.168.100.1) >
pfSense (192.168.2.1) >
USG (DHCP Address From pfSense 192.168.2.10) >
USG (192.168.2.1 Providing DHCP to LAN)

I have tried reading up on this but am getting lost tbh.

Anyone have any ideas/pointers on how I can solve this.

Many thanks

rcoleman-netgate

@eliteharbinger42 said in pfsense to usg unable to ping lan devices:

USG (DHCP Address From pfSense 192.168.2.10) >
USG (192.168.2.1 Providing DHCP to LAN)

Your USG LAN and your 1100 LAN are the same CIDR?
If so that's likely your problem.

eliteharbinger42

@eliteharbinger42

Hi

Thanks for the reply.

I took the default options for setting up a connection from the USG to the pfSense unit.

The USG gets it IP from the pfsense Unit, hence the same CIDR, not sure how I would set it up otherwise.

The LAN DHCP server is provided by the USG,

rcoleman-netgate

@eliteharbinger42 Just so you know - you will not get 1200mbps from an 1100. You will get 450-600mbps in most configurations.

So you have 192.168.1.0/24 on the USG LAN (you said you have 192.168.2.x).

Make sure your rules on your LAN interface on the pfSense are not configured in such a manner that blocks RFC1918 or anything not in the LAN NET for source.

eliteharbinger42

@rcoleman-netgate

Hi,

Thanks for the reply it is very much appreciated.

Am getting a re-purposed Cisco Wave Box to replace the SG1100.

Will look into your comments.

Just to confirm that the USG gets it IP from pfsense and the USG provides DHCP for the LAN under 192.168.1.0/24.

Cheers

eliteharbinger42

Hi,

I have had another look at this but am getting nowhere, probably my lack of knowledge.

Did find this post which seems similar and have tried to follow the suggested resolution but dont think I have got that right:

https://forum.netgate.com/topic/152523/pfsense-and-ubiquiti-usg-working-together

The suggested resolution was:

***stephenw10 Netgate Administrator
Aug 11, 2020, 1:13 AM

You don't. You need a route from pfSense to the USG LAN. Otherwise pfSense has no idea how to reach it and traffic that it gets for a client in the USG LAN will not be routed correctly.

If you don't have a statuc route back to the USG LAN the NAT allows it work by translating all the traffic to the USG WAN address which pfSense does know how to reach.

1x NAT is better so add the static route to pfSense. Disable NAT on the USG.

Steve

stephenw10 Netgate Administrator
Aug 11, 2020, 1:41 AM

The static route has to be on pfSense itself. You have to add a static route via a gateway so first go to System > Routing > Gateways and add a new gateway.

Set the USG WAN IP as a gateway and on the pfSense LAN interface which will be in the same subnet.
Now go to the static routes tab. Add a new static route to the USG LAN subnet via the new gateway you just added.

With that in place pfSense can reach the clients without the USG having to NAT.

Steve***

So the IP's I have are:
pfSense 192.168.2.1
USG WAN from pfSense 192.168.2.10
USG LAN 192.168.1.1 Providing DHCP to LAN Clients

This is what I have tried:

Any help wpuld be really appreciated.