Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Dual pfsense setup NAT issue

    NAT
    2
    3
    2.3k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      javerleo
      last edited by

      Hello pfsense fans!

      I need to use all these features at the same time:

      • Packet filtering and NAT at internet entry point
      • DNS forwarding
      • Multiwan links with load balancing and failover
      • Content filtering with squid
      • Bandwidth shaping and throttling (by ip)

      I am aware of this issues:

      • Squid package doesn't work with multiwan
      • Traffic shaper doesn't work with multiwan

      So I would like to use two pfsense machines to make the whole thing work as expected. This is my idea:

      ISP1 –-- WAN1 ----
                                |
                                |---- PFSENSE 1 ----- PRIVATE SUBNET 1 ----- PFSENSE 2 ----- PRIVATE SUBNET 2 ----- USERS
                                |     
                                |
      ISP2 ---- WAN2 ----

      On PFSENSE 1:

      • NAT and port forwarding are enabled
      • DNS forwarding is enabled
      • Packet filtering is enabled
      • Load balancing and failover are enabled
      • Added a static route to private subnet 2

      On PFSENSE 2:

      • NAT is disabled because I don't want a double NAT (I selected the option "Advanced outbound NAT" and deleted all the rules)
      • DHCP server is enabled for Private subnet 2
      • Traffic shaper is enabled (via the wizard)
      • Squid package is installed and enabled in transparent mode
      • Traffic from subnet 2 to subnet 1 is allowed with the default rule, so I added a rule to allow the traffic in the opposite direction

      PROBLEM: Users can't access the internet.

      QUESTIONS:

      1. Does traffic shaper works without NAT ?

      2. Is there something I am missing?

      3. Comments and suggestions?

      Thanks in advance and excuse my english.

      UPDATE

      After some forum searching I understand the need to activate "Advanced outbound nat" on PFSENSE 1 and add a mapping for SUBNET 2. So I made the change and applied it. However, the users on subnet 2 still can't reach the Internet.

      UPDATE

      Based on this post  http://forum.pfsense.org/index.php?topic=10524.0
      I added the rules to allow traffic to pass from subnet 2 to pfsense 1 LAN interface, however users on private subnet 2 still cannot access the Internet (traffic between subnet 1 and subnet 2 is normal)

      Still stucked ....

      –-----------
      God is my best friend

      1 Reply Last reply Reply Quote 0
      • V
        Valhalla1
        last edited by

        sorry I have no suggestions but I hope you get it working and let us know what the issue was, I'm thinking of setting up such a config, or perhaps waiting until 1.3 final is out which should be able to do everything you need from one pfsense box

        1 Reply Last reply Reply Quote 0
        • J
          javerleo
          last edited by

          SOLVED ! BUT ….

          I made a mistake on firewall rules, allowing subnet 2 traffic on the wrong interface (I have a third OPT LAN interface on the border pfsense) The showed setup is OK, but I have found another problem (It seems to be a known issue) : Traffic shaper doesn't work when Squid on transparente mode is enabled.
          Searching the forum I cannot find a real solution.

          Any suggestion?

          –-----------
          God is my best friend

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.