Two PFsense systems cannot NAT

hansru

anyone having any suggestions ?
I can NAT with two AP's on the same PFSense system, however with an additional PFsense system I cannot NAT to the PFSense system ?
thanks,
Hans

GruensFroeschli

small question: what did you do with the WAN of the PF2?

Could you show a screenshot of one of the NAT rules you did on the PF2?

hansru

I tried it again. But unfortunately no success.
Attached the images of my settings.
Except for the 192.168.16.112 I've made another one to 192.168.1.50. I can ping, get replies etc. but no port forwarding.

Thanks in advance for your help

GruensFroeschli

again:

|–-----|                        |--------|
-- WAN --|  PF1  |--LAN------LAN--|  PF2    | -- WIFI
              |-------|                        |--------|
                  |                                    |
                DMZ                                WIFI

Where is the WAN on your pfSense 2?
If your "LAN" is the WAN then it will not work.

hansru

Ok, the chart should look like this:

|–-----|                        |--------|
-- WAN --|  PF1  |--LAN------WAN*-|  PF2    | -- WIFI
              |-------|                        |--------|
                  |                                    |
                DMZ                                WIFI

*Wan is 192.168.1.150 (also shown in the images)

hansru

Is there anyone with a good idea how i can NAT two PfSense systems ?
I can ping both back and forth, however no way I can achieve it. It really drives me crazy.

Thanks in advance

GruensFroeschli

ok now i'm really confused:

LAN PF1 is 192.168.16.1

*Wan is 192.168.1.150

How should LAN of PF1 be able to communicate with WAN* if they are not in the same subnet?

Maybe you should make a "clear" diagram of which IP-range is where, and what should have access to where.

Whenever i start setting a new network enviroment up i first sit down with a lot of paper and do the planning work without even thinking about plugging any cables anywhere in or setting up any rules.

hansru

As per your request the diagram:

PFSense1 / Alix 2c1 bios v0.99 / R 1.2RC4 full (on microdrive)
PFSense2 / Alic 2c0 bios v0.99 / R 1.2RC4 full (on microdrive)

PF1 vr0 LAN 192.168.16.1/24 DHCP Server
      vr1 WAN 10.0.0.10/24 DHCP client from ADSL modem
      vr2 DMZ 192.168.1.1/24 DHCP Server
      ath0 Wifi A 192.168.4.1/24 DHCP Server

PF2 vr0 LAN 192.168.16.110/24 Static IP
      vr1 WAN 192.168.1.150/24 DHCP client assigned by PF1
      ath0 WIFI B disabled
      ath1 WIFI C disabled

I can ping from PF1 to PF2 WAN (192.168.1.150) from WAN / DMZ / WIFI /LAN
I can also ping from PF2 to PF1

What I want to achieve is to have access to the WEBgui on PF2 through PF1 to enable remote support. Is there anyone who knows what to do?
It drives me crazy..

GruensFroeschli

Did you create an advanced outbound NAT entry for your DMZ (and all other OPTx)?
http://forum.pfsense.org/index.php/topic,7001.0.html

Try setting the webgui of pfSense2 on port to (something_else_than_80) and create the rule on pfSense1 accordingly.
DONT forward from 85 to 80 at first.
Just a simple 8181 –> 8181 or so

hansru

ok, thanks for your input.

what i did is i reconfigured Webgui on PF2 to port 8181
I created a NAT port under port Forward

Also created a rule on the WAN. Do not understand what you mean with the Advanced Outbount NAT
Could you please give some guidance.

GruensFroeschli

The firewall rule should have as source-port * and NOT 8181.
If a client initiates a connection to you it orginates from a random port. NOT the same as the destination port.

To the advanced outbound NAT rule:
Read the link i provided above!:
http://forum.pfsense.org/index.php/topic,7001.0.html
@http://forum.pfsense.org/index.php/topic:

If you want to have Internet access from multiple LAN subnets (on various OPTx interfaces) enable Advanced outbound NAT.
You need to create a rule for every subnet you want NAT'ed.
Alternatively you can change the source of single existing rule from LAN to "any" thus NAT'ing everything.
(screenshots to clarify: http://forum.pfsense.org/index.php/topic,7693.0.html )
This might create a problem for FTP with multiWAN
more here: http://forum.pfsense.org/index.php/topic,7096.msg40810.html#msg40810

hansru

Thanks for the fast response,

It has now be changed. However the AON does bother me. Í've read it several times, but do not fully understand this. does not work yet.

regards,

GruensFroeschli

The AoN rule you create basically tells pfSense manually which subnets should be NATed where.
With the rule you created you NAT your DMZ-subnet to WAN (which you want).

You will need to create another rule for every subnet you want NATed too (ie. WifiA and LAN in your diagramm).

so it stil does not work.
hmm,….

Did you change the source port to * on the pfSense 1 firewall rule too?

hansru

Yep, the rule in the firewall has also been updated to *

Attached the AON's for the three interfaces.

Still not succesful. Did you read my PM ?

regards,