pfSense behind pfSense - Not getting WAN IP from PFS1

MacUsers

Got my new 8200 a week back and after a seriese of events now started configuring. Because of the totally diffrent H/W and NIC setup, I supppose a direct restore of config not possible, hence I created a new VLAN (on LAN interface) on my existing pfSense (PFS1) and hooked up 8200 (PFS2) to that, hoping I'm gonna get a an IP address from that VLAN subnet as the DHCP WAN address on 8200 but it's not happing.

I can ping PFS1 from the LAN interface of PFS2 but don't have any Internet/out-bound connectivity at all. No responses from Disgnos-> Ping either. I got to chnage to get the the egress connectivity on PSF2?

P.S. Just to add, if I add a standard off-the-shelf modem/routher to the same port instead, I get the GET the internet connections on the LAN ports.

-S

viragomann

@MacUsers said in pfSense behind pfSense - Not getting WAN IP from PFS1:

hoping I'm gonna get a an IP address from that VLAN subnet as the DHCP WAN address on 8200 but it's not happing.

I can ping PFS1 from the LAN interface of PFS2 but don't have any Internet/out-bound connectivity at all.

I don't expect, that you can ping the outer box from behind the second one if it doesn't have a WAN IP.
Maybe you can give more details on what you actually have.

MacUsers

@viragomann said in pfSense behind pfSense - Not getting WAN IP from PFS1:

I don't expect, that you can ping the outer box from behind the second one if it doesn't have a WAN IP.

Sorry, I missed a bit here: I works if I set a static IP (from the same subnet as the VLAN) on PFS2 manually.

It also works, if I connect the PFS2 directly on the PFS1 LAN subnet rather the VLAN subnet.

viragomann

@MacUsers
So obviously the VLAN is working, but not the DHCP. Is it configured properly?

MacUsers

@viragomann yeah, I hope so.
If I connect my laptop or a Wifi AP, it gets the IP via DHCP.

MacUsers

Just to add, even with IP set on PSF2 manually, no outbound connectivity. Can anyone give me any direction pls?

-S

MacUsers

okay, don't know what happened but it for others, if face the same issue.....
Some reason, on PFS2, it wasn't probably recognizing the WAN IP, hence it didn't create the automatic NAT outbound rules.

When I manually configured the static IP on the PSF2 WAN interface, pfSence only allowed to specify a single /32 IP address, so trying to create a upstream-gateway was going out of range, Because of the absense of the upstream-gateway, no automatic NAT rule was create. so, with staticly set IP, I could ping SPF1 IP address but nothing beyond that.

Restarting PFS1 fixed everything :)
(reminded me about the days of Windows Vista )

Gblenn

@MacUsers Out of curiosity, which DHCP server version are you using pf pfs1? KEA or ISC?

MacUsers

@Gblenn
KEA, on both.
I hope it wasn't the stuck-in process isuue; I didn't check, as it was working for rest of other VLANs

-S

Gblenn

@MacUsers Well, I can't but wonder if that (on the pfs1) had something to do with your issue... Especially since restarting it solved the issue. That should simply not have been necessary... I have had exactly your kind of setup for testing with various firewalls, without ever having any issues.

MacUsers

@Gblenn yeah, since you mentioned about that, now started thinking if actually that was the case under the hood. Well at least I'll remember to chk that from now on

24.11 supposed to fix that issue, accouding to some posts here.

viragomann

@MacUsers
I experienced several times, that it was necessary to restart pfSense to get the outbound NAT working.

Gblenn

@viragomann said in pfSense behind pfSense - Not getting WAN IP from PFS1:

I experienced several times, that it was necessary to restart pfSense to get the outbound NAT working.

But how is that related to the fact that it worked when setting a static WAN IP on the second pfsense? But not when set to DHCP? And this was resolved by restarting the first pfsense (handing out IPs)
.

MacUsers

@Gblenn there was a catch - it didn't actually work with static IP either. I could ping the PFS1 IP after setting up the IP manually but that's all.

I think, the staic IP would have worked, if I could setup an upstream-gateway, which was prevented by pfSence, saying gateway IP is out of range. But the automartic NAT rules didn't get created in either case - just to clarify

Gblenn

@MacUsers Ah ok, but as soon as it got an IP via DHCP, the NAT rules also got set up correctly I suppose?

stephenw10

Yes, without a gateway on the interface there would be no auto outbound NAT rules. But also with a /32 subnet on WAN it couldn't talk to anything else anyway. Not sure why it couldn't have had the expected subnet there, presumably /24.

MacUsers

@Gblenn said in pfSense behind pfSense - Not getting WAN IP from PFS1:

Ah ok, but as soon as it got an IP via DHCP, the NAT rules also got set up correctly I suppose?

yeah, that was correct

Gertjan

@MacUsers said in pfSense behind pfSense - Not getting WAN IP from PFS1:

hence I created a new VLAN (on LAN interface) on my existing pfSense (PFS1) and hooked up 8200 (PFS2) to that, hoping ....

Wait !!
You can't start hoping at that point. You have to finish you're work first.

When you create a VLAN 'on one side' (your pfSEnse 1) you have to dupicate that same VLAN info on the other side ! - in this case your WAN pfSense 2.
After all : the VLAN ID (number) needs to be set on one side, and recognized on the other side.
The other side is normally a smart switch, on which you use one port as the VLAN coming from pfSEnse which is taggeed as a VLAN with ID "ID", and on the smart switch you use the same ID number, and then you assign several ports to it. Those ports go to the ordinary network devices that are not aware of the VLAN magic.

So, I presume, as I never did this myself, and I can't test it :
On your pfSense 2 : create a VLAN with the same ID based upon your WAN.
Activate on this VLAN (WAN) interface the DHCP client.

edit : and if this doesn't work, then you have to place a smart switch between PS1 and PS2. Split out the VLAN ID from PS1 out on this switch, and connect the assigned port to the pfSense 2 WAN.
That will work for sure.

Gblenn

@Gertjan said in pfSense behind pfSense - Not getting WAN IP from PFS1:

When you create a VLAN 'on one side' (your pfSEnse 1) you have to dupicate that same VLAN info on the other side ! - in this case your WAN pfSense 2.

Why, if all you are after is to hook it up, to set it up.

The reason for the VLAN is, I suppose, so that you don't end up with the same IP on WAN as you have on LAN (on PFS2). Since this machine was supposed to have the exact same setup as PFS1...

MacUsers

@Gertjan said in pfSense behind pfSense - Not getting WAN IP from PFS1:

edit : and if this doesn't work, then you have to place a smart switch between PS1 and PS2. Split out the VLAN ID from PS1 out on this switch, and connect the assigned port to the pfSense 2 WAN.

I have several managed switchs and PFS2 was connected to one of the ports on one of the switches, which was configured with that VLAN-id. When I said I could ping the PFS1 IP address but nothing beyond, I assumed that it will be understood that internal networking was setup okay.

BTW, in the 7th post, I posted the reason for not working in the first place and then it started working as expected after the reboot, then it becomes very obvious that VLAN, tagging, managed switch etc. weren't the issue at all.

The question was why PFS1 couldn't provide an IP to PFS2 in the first place, via DHCP.