Lan on both sides wan and lan

strugler · Nov 2, 2010, 10:16 AM

This may not be possible but if someone could give me a little info that would be great.

My topology is as follows.

ADSL router firewall (local lan clients 192.168.3.0/24) > wan pfsense (dedicated outside ip address) lan port to another lan 192.168.2.0/24

Is it possible for me to allow my 192.168.2.0/24 to communicate with my 192.168.3.0/24 station and if so what kind of rules would be required.

My ideal situation would be to have the dedicated wan address on the pfsense box to run a pptp server so roaming employees would have access to the 192.168.2.0/24 network. But 192.168.2.0/24 clients could have internet access and be able to contact the 192.168.3.0/24 clients.

I have been able to get the pfsense box working as a gateway for internet access for the 192.168.2.0/24 network and also get the pptp clients to log in and get access to the 192.168.2.0/24 network but I cannot get the 3.0 and 2.0 lans to talk to each other.

Any ideas? Cheers

sh_man · Nov 2, 2010, 11:27 AM

Struggling to see what you are trying to do. Can you make your network diagram slightly clearer

ie

Lan Clients (192.168.2.x) -> ADSL Router -> PFSense -> Internet
|
-> Lan Clients (192.168.3.x)

dreamslacker · Nov 2, 2010, 11:29 AM

I concur. Need a clearer picture. Not quite sure how your two routers are being configured.

If the pfsense box is connected to both networks, then you simply need to add a push route and add the corresponding allow rules in the Firewall section.

strugler · Nov 2, 2010, 1:33 PM

WAN - Internet
Outer firewall ADSL - (maps external address to pfsense WAN)
LAN - 192.168.3.0/24 - Couple of pc's outside pfsense lan

(ADSL LAN to pfsense WAN interface)

WAN - 81.22.22.22 (External address assigned from ADSL firewall)
Pfsense
LAN - 192.168.2.0/24 - (clients use 81.22.22.22 to reach internet)

Hope this helps to clear it up a little.

Basically there is an outer firewall which gives me and internet connection. Then an internal pfsense appliance further protecting an inner lan. I would like the 2.0 lan network be able to talk to the 3.0 lan.

sh_man · Nov 2, 2010, 1:59 PM

You will need to get your ADSL firewall to route traffic for the 192.168.2.x addresses to the 81.22.22.22 as a gateway otherwise there is no route to the 2.0 lan from the 3.0.

You will also need to tell pfSense to route the traffic for 192.168.3.x to the ADSL external address.

You will then need to set up rules on both the ADSL and pfSense to allow the traffic.

If your ADSL or pfSense are using NAT you are probably going to fail

dreamslacker · Nov 2, 2010, 3:34 PM

@strugler:

WAN - Internet
Outer firewall ADSL - (maps external address to pfsense WAN)
LAN - 192.168.3.0/24 - Couple of pc's outside pfsense lan

(ADSL LAN to pfsense WAN interface)

WAN - 81.22.22.22 (External address assigned from ADSL firewall)
Pfsense
LAN - 192.168.2.0/24 - (clients use 81.22.22.22 to reach internet)

Hope this helps to clear it up a little.

Basically there is an outer firewall which gives me and internet connection. Then an internal pfsense appliance further protecting an inner lan. I would like the 2.0 lan network be able to talk to the 3.0 lan.

How is the address being mapped to the pfsense box? If it does so via some sort of virtual channel, does the DSL firewall then allow for routing between the 2 networks?
If the DSL firewall actually supports some form of VLAN on it's 'LAN' side interfaces, you might be able to get away with using VLANs. 1 for WAN, 1 for 2.0 subnet as 2nd LAN for the pfsense box.

strugler · Nov 2, 2010, 4:12 PM

The adsl firewall serves an internet connection for the 3.0 network and the pfsense box serves internet for 2.0 network.

I guess it is nat on both so I may be stumped.

As for vlans I have no clue where to start as I dont have a clue what vlans do.

I have to give this more thought.

I thought it would be as simple as giving the pfsense wan a rule to let the 3.0 network though and a rule for lan of pfsense to let the 2.0 out….. I must be very wrong as having tried it dont get any communication between the lan ip's... hmm

sh_man · Nov 2, 2010, 4:41 PM

The problem is that the route between the ADSL router and the pfSense box is via the 81…. address which means that you need to tell the ADSL router where the traffic for the 192.168.2.0 is going.

There may be ways of fudging it but you will have to get a reasonable understanding of network routing to be able to understand what you are trying to do and from that how you need to program the ADSL router.

One last thought - I assume the pfSense box only has two interfaces. If it has more, or has the possibility of more, you could put both the lans behind the pfSense box, which would then do the routing and only need a simple let traffic from one lan to other lan rule putting in

dreamslacker · Nov 3, 2010, 8:01 AM

I was a little spaced out. I reckon the ADSL firewall box has multiple VCs on the DSL and bridges one of them to the pfsense WAN. So your options of actually trying to route using the DSL firewall are pretty much shot.

If there any chance that you can get 4 usable interfaces on the pfsense box?
If you can, then you need to setup 2 as WANs.
1 Public will NAT to the 2.0 subnet (3rd interface)
The other 'WAN' would actually be connected to the DSL LAN and NAT to the 2nd private subnet (4th interface).
You can then setup firewall rules on pfsense to allow communications as required between the 2 private subnets. In this instance, you would simply DMZ the pfsense 2nd WAN address on the DSL firewall (simplest option if you don't quite understand the networking concepts)

A pictorial representation: