1 WAN and 2 LANS
-
I am new to PFSense, but we have 9 firewalls within our organization that are using PFSense. I have installed a brand new PFSense with three NIC's, due to running out of IP addresses on our local LAN. Unfortunately, there was no quick way to subnet the network to give me more IP addresses, so I am trying to give out to LAN connections to run a 192.168.0.XXX and 192.168.10.XXX network. I have them up and running, and I can ping each other, but I have one problem. I am unable to ping anything past the LAN port on the firewall on either side. For instance if my laptop is on the 192.168.0.XXX network, I can ping 192.168.0.1 (Firewall LAN1) and 192.168.10.1 (Firewall LAN2), but I can not ping 192.168.10.2 which is directly plugged into LAN2. The same thing applies if I were on the 192.168.0.XXX network. Any suggestions would be much appreciated.
-
I apologize, I mistyped the subject but it should be 1 WAN and 2 LANS.
-
Did you create appropriate rules on each interface?
Do you have a firewall on the device you're pinging?You could take a look at the firewall log to see if something gets blocked.
-
Alright, so I can ping the 1st and 2nd LAN's now, which is a huge step. It was caused from not having the rules setup correctly. Now the only problem that I am having is that I can not get out to the internet on the 2nd LAN. It has to be a rule, but I can not seem to figure out what is going on. Any advice?
-
Post screenshots of your rules.
-
Here is the first screenshot
-
Second…
-
Third…
-
and last but not least….fourth...
-
You have a lot of rules which dont do anything.
Firewall rules are applied on the interface on which traffic comes in.
In a top to down manner.LAN: Only the first rule is doing anything.
You will never see traffic from the LAN2 subnet on the LAN interface.LAN: The same here. You will never see traffic from the LAN interface on the LAN2 interface. Also the first rule includes the third rule (protocol: any, includes protocol: icmp)
IPSEC: The same here: Your second rule is a "allow everything" rule.
The third rule never catches. If the first rule wouldnt be there, it wouldnt make a difference, since the second rule would allow it.According to these screenshots you should be able to get out to the internet from the LAN2.
Did you enable Advanced outbound NAT? -
No it is set to automatic right now.
-
Do the devices on your LAN2 have the pfSense as default gateway?
If you try to access the internet: do you see anything in the firewall log being blocked on OPT1?Can clients on LAN2 resolve names?
-
Yes, the devices are pointed to LAN2's gateway address. I am receiving a ton of blocks on LAN2, but I can not seem to find an easy way to export them besides a screenshot to place them on here.
-
Alright, so I still can not get to the internet. The layout of the network is like so:
Router –> WAN Port
192.168.0.XXX network --> LAN Port
192.168.10.XXX network --> LAN2 Port
LAN Port --> 192.168.0.XXX Switch
LAN2 Port --> 192.168.10.XXX Switch
Each switch has a cable going to the domain controller with 2 NIC's, so one is configured on the .0 network and one on the .10 network.The switches are configured with their own gateway, but I can ping internally everywhere. I just can not get out on the .10 network. The .0 network is still running fine.
-
Here is how I have the LAN2 setup, does anyone see this as not the correct way to set this up?
-
You have your LAN2 bridged with LAN.
Essentially you made LAN2 = LAN.
Disable the bridge and it should work. -
Thank you so much….that worked. That was changed the other day when we were at the very beginning stage of setting it up by someone else and I had not even looked at that again. Sorry for so many questions and I appreciate your help very much!
-
I have one more small problem that has been discovered today. I can not access anything through the VPN to the .10 network. I can get to the firewall through IE on the .10 network without any problem, but can not get to anything after that. Everything looks as if it is wide open once you are on the network. This is an example of a firewall log entry:
Nov 18 14:46:36 LAN2 192.168.10.30:3389 192.168.0.20:8701 TCP -
Alright, so this is still going on. I have rebooted the firewall, and that has resolved some other issues. The only thing that I still can not do once connected to the VPN, which is routing and remote access on the .0 network, is RDP or anything else to anything on the .10 network. I can ping everything though, which is odd. I am confused because if I VPN to any of our other sites, I can connect to anything without any problems. Therefore it has to be something within the firewall or Routing and Remote Access on the server, but for some reason I lean toward the firewall due to the firewall logs.
-
Hmmm.
If you click on the icon on the left side in the firewall log, you can see which rule blocked.
Did you change your firewall rules since you posted the screenshots?
According to your screenshot such a block
Nov 18 14:46:36 LAN2 192.168.10.30:3389 192.168.0.20:8701 TCP
should not happen. -
Alright, so I am still having a small issue with the firewall, and I have spent time with Microsoft on the phone thinking that it is a routing and remote access issue, but they refuse that it can be the problem. If I VPN into this location, which houses the .0 and .10 network, it gives me a .0 address, but I am not able to get to anything on the .10 network. If I am in the office and not VPN'd in, I can touch anything. If I VPN into another site, I can get to anything. I can ping things on the .10 network though if I VPN into the network and get a .0 IP, but nothing else. Attached are the most current screenshots. I understand that some are irrelevant, but this was before my time and I will clean it up in the long run. I just need this to work.
-
What kind of VPN are you using?
I'm kinda confused since you say you get IPs from both subnets?
Is that a bridged VPN setup?
Are you still using a bridge? -
The VPN is just Routing and Remote access that is a Windows Server Role. I do not physically get two IP addresses when I connect to the VPN, but I can ping both sides by dns or IP. I get a .0 address, but can not RDP or go to the web portal of anything on the .10 network. I am not sure what you mean if this is bridged.