Secondary network behind LAN can not access internet

hdokes

Ok Gentleman,

Currently on site. Attempting to set up subnet on LAN one and subsequent NAT rule but not having success. Also pretty sure I am not doing it correctly here.

I set up a virtual IP for the network 192.168.1.0/24 on the LAN interface. Every time I go back to edit this rule it shows the IP address as a single address even tho I set it to a network with the 24 subnet (it may be this is what it defaults to every time the edit window is opened. The entry looks like this:

Virtual IP address Type Description

192.168.1.0/24 [Proxy ARP] NAT rule for North Store

I then went to firewall NAT outbound and entered the following:

ON - Automatic outbound NAT rule generation (IPSEC passthrough)

OFF - Manual Outbound NAT rule generation (Advanced Outbound NAT (AON))

Interface Source Source Port Destination Destination Port NAT Address NAT Port Static Port Description

LAN 192.168.1.0/24 * * * 192.168.1.0 *
NO Out Bound NAT rule for North Store

I still do not get beyond the LAN interface for any Store2 traffic.

Can you provide some corrective syntax for what I may be doing wrong?

GruensFroeschli

um..
Unless you want to host something on the store2 network you dont need VIP's –> delete all VIP's.

I think you missunderstood what Advanced Outbound NAT is about.
With AON you define how the router NAT's.
This is not the same as forwarding a port.

you need to enable AON
--> disable automaticly created rules.

OFF - Manual Outbound NAT rule generation (Advanced Outbound NAT (AON))

Interface Source Source Port Destination Destination Port NAT Address NAT Port Static Port Description
WAN 192.168.1.0/24 * * * * * NO
WAN 192.168.10.0/24 * * * * * NO

The Interface is the interface to which the traffic will be rewritten to.
You want that packets originating from within your network appear to the outside as if they originate from your WAN-interface.

hdokes

Ok… I understand.

Changed configuration to reflect what you had shown. Removed VIP's and changed to AON on and it shows both network routes as you had depicted. I still am having issues pinging beyond the LAN port. Are there any other entries I may be overlooking? ... i.e. NAT or Firewall Rules?

Thank you for your assistance on this.

GruensFroeschli

So are you now able to reach the internet from your store2?

What exactly do you mean you have ussues pingin beyond the LAN port?
I need information like from where you are pinging what.
Could you write from what IP you are trying to ping the target IP?

hdokes

I can ping from store2 to the LAN interface of the PFSense router.
I can not ping from store2 to the WAN side of the PFSense router.
I can not ping from store2 to the internet (beyond the PFSense router).

I can ping from the local network (Store1) to the WAN address of the PFSense router.

I can remote access any device at store2 from the internet (using remote desktop and PCAnywhere)

hdokes

Allow me to confirm whether or not I am understanding this correctly… and thank you for your patience and indulging me....

As there is port forwarding on the PFSense box from the outside in... (firewall rules - apply to WAN interface) so too is there port forwarding from the inside of the box out (Nat Rules - apply to LAN interface). The two are not synonymous but rather the system allows for auto creation of a firewall rule as a convenience when you are setting Nat Rules for outbound traffic?

If I am correct here... would I also be correct then that I could set two primary NAT rules for both networks in the following fashion?

If Proto Ext. port range NAT IP Int. port range Description

WAN TCP any 192.168.10.0/24 any Allow all ports outbound for Store1
(ext.: xxx.xxx.xxx.xxx)

WAN TCP any 192.168.1.0/24 any Allow all ports outbound for Store2
(ext.: xxx.xxx.xxx.xxx)

Would this be accurate based on my assumptions and would it be required?

GruensFroeschli

Could you provide all rules you have on your LAN-interface?

When you try to ping and it does not work: do you get any entries in the firewall log?

hdokes

The pings are being logged from the correct Store2 IP address and shows the WAN address as the destination… the msg associated with the log entry is:

@124 Block drop in log quick all label "Default block all just to be sure."

The NAT outbound rules are:

Interface Source Source Port Destination Destination Port NAT Address NAT Port Static Port Description
[add new mapping]
WAN 192.168.1.0/24 * * * * *
NO
Out Bound NAT rule for North Store
[edit mapping]
[add a new nat based on this one]
WAN 192.168.10.0/24 * * * * *
NO

I have many NAT rules for the WAN interface to accommodate internal services such as remote desktop and PCAnywhere access. There are no Internet services requiring external access from the internet at this time.

There are currently no explicit rules for the LAN adapter for either network other than these outbound references.

jor-el

Hello!!!

I have a same problem respect a hdokes ( excuse me my English its not the better ;) )

The scheme is the following one.

–-------- x.x.x.x
| DSL |____________ INET
----------
|192.168.1.1
|
|192.168.1.100
----------
| pfsense |
----------
| 172.16.1.100
|
|
--------- VLAN 1
---------| Switch |-------------------- PC
| --------- 172.16.1.1 /24
|
Router
|
|
Switch
|
|
PC VLAN 2
172.16.0.1 /24

VLAN 1 can access internet
VLAN 2 can not access internet
pfsense

VLAN 1 to VLAN 2 ping OK
Vlan 2 to Vlan 1 ping ok
Vlan 1 to pfsense (172.16.1.100) ping OK
Vlan 2 to pfsense (172.16.1.100) ping OK
Vlan 1 to DSL ping OK (Any Address)
Vlan 2 to DSL ping NO
Vlan 1 to HTTP access OK
Vlan 2 to HTTP acces NO

The NAT outbound rules are:

Interface Source Source Port Destination Destination Port NAT Address NAT Port Static Port Description
WAN 172.16.1.0/24 * * * * * NO
WAN 172.16.0.0/24 * * * * * NO

The problem its the can not access from VLAN 2

thank's for the answer.

GruensFroeschli

@hdokes: Could you also provide the FIREWALL-Rules on the LAN tab?
You need 2 similar rules on the Firewall tab (Like jahonix said in his first post).

@jor-el: The same goes for you. but you need an allow-rule on your OPTx interface on which your VLAN2 is.

hdokes

Ok… back at it on site again.

The firewall rules for the LAN tab consist only of the following:

Proto Source Port Destination Port Gateway Schedule Description

LAN net * * * * Default LAN -> any

Still trying to make it work... any assistance is much appreciated.

GruensFroeschli

@jahonix:

On your LAN interface you need to allow traffic from the remote subnet additional to the local one.
Have you done that?

So additionally to letting pass http or/and HTTPs traffic for 192.168.10.0/24 you have to allow traffic for 192.168.1.0/24 as well on the LAN if.

so it has to look like this:

Proto Source Port Destination Port Gateway Schedule Description

* LAN net * * * * Default LAN -> any
* 192.168.1.0/24 * * * * store2_subnet -> any

hdokes

GruensFroeschli…. you are a tonic for my befuttled brain. That worked! :)

Still not sure that I fully understand it but let me digest it here a bit and I will follow up here with some closing comments.

Thanks again to everyone who assisted.... I really appreciate it.