New to PFsense and I need help with my network setup

dhayes

Here is a quick drawing. I hope this helps. I also want to add that I replaced a linksys router with the pfsense box, thing this will give me better firewall capabilities and better VPN and router flexibility. The Ascend routers were place by our telecommunication vendor as part of our MPLS setup. Yes, I can ping from the pfsense box to all routers.

![network setup.jpg](/public/imported_attachments/1/network setup.jpg)
![network setup.jpg_thumb](/public/imported_attachments/1/network setup.jpg_thumb)

jahonix

How does 192.168.3.1 connect to 192.168.1.3 subnet wise?

As mentioned before, give your netmasks and the routing entries in the routers.
What's the netmask of 192.168.1.1 for example: 255.255.255.0 ( = /24) or 255.255.0.0 ( = /16) or something inbetween???

dhayes

Subnet mask is 255.255.255.0 ( /24) for all sites.

dotdash

Information on the routers configuration is key. If we assume the remote routers have a route of last resort pointing to the central site router, the central router needs to know the Internet is off the pfSense box. I would test ping connectivity from the firewall and the routers and see what that shows.

dhayes

I will contact the vendor who installed the ascend routers and relay the info when I receive it. I would assume the last resort pointing is to the central site because the pfsense box is replacing the Linksys router that was there and functioning with this same setup and network configurator. I tried to mimick the same setup of the linksys with the static routing on the pfsense box.

dhayes

I' ve spoken with my vendor and he confirmed that the remote routers last resort pointing is to 192.168.1.1 which is the pfsense box LAN card. I hope this helps with clarificaion of the configuration.

jahonix

Your pfSense is 192.168.1.1/24
An IP packet arrives on its LAN port from site1 192.168.3.x/24 (some host there). It is out of pfSense's LAN range and you cannot generate rules to let it pass to WAN except you setup multiple subnets on LAN. Which I wouldn't do.
So how do you want to pass packets from somewhere other than 192.168.1.1-192.168.1.255 through your LAN port?

I'm not the routing expert and am unexperienced with MPLS. If someone wants to add knowledge I'd appreciate it!

dotdash

This should be fine if:

You have NAT rules for the additional subnets, or just change the mask from /24 to /16 (yeah, you could use a /22)
The rules on the LAN are similarly modified to include the other subnets.
The static routes are correctly configured on the pfSense box.
I've said before, DO SOME PING TESTS from various devices- the firewall, the routers, hosts on the various subnets.

jahonix

@dotdash:

This should be fine if:

Yes, if.
dhayes was asked about these infos a couple of times but is holding back.
With the information given I assume it is not working (I think dhayes didn't even mention the term 'NAT', why should I assume it's configured???)

Anyway, thanks for your feedback.

wtsexton

dhayes, per our conversation on the phone I setup a network which is close to yours.

Adding the static routes and allowing the networks under the LAN firewall section was all that was required to get it working.
Included here is a copy of the configuration and diagram of my test network.

Information in the diagram and configuration were altered for security reasons.

testsetup.png_thumb
runningconfig.txt

dhayes

Thank you wtsexton
This seems to work and all is well. The reconfiguring of the rules did the trick. Dotdash and Jahonix your assistance and responses were appreciated and helped tremendously.