Multi-LAN
-
You have the right idea. Make sure that the LAB clients systems have their gateway and DNS pointing to the pfSense LAB (LAN2) IP address. If they are getting DHCP from pfSense that should already be like that.
Start by pinging pfSense LAB IP address from a LAB client. Make sure that works (it should with the firewall rule allowing all).
In NAT->Outbound make sure you have Automatic Outbound NAT selected - then pfSense will automatically generate NAT rules from LANnet to WAN and from LABnet to WAN.
LABnet must not have a gateway set - the only interfaces with a gateway set should be WAN(s).Dear Philip,
All the client are behind the NIC LAB recieved the IP from PFSENSE DHCP as configured to add the DNS and Gateway ( IP of LAB NIC), this is correctly configured
from a LAB machine i can ping PFSENSE and i can log into it using the LAB IP adresses, the Outband is autmatically selected,
i've created two rules one to allow any from any to the LAB, and second one to allow ICMP just from the LAB ,
but my clients behind LAB can still not reach the internet !
P.S my PFsense NIC LAB has no Physique NIC connected to it,
dont i have to create some special rules between WAN and LAN ? or the otherway arround?thank you
-
You only need pass rules on LAB interface. It is the rules on the interface where the traffic starts that are used. For example, a default install will have a pass all rule on LAN and everything blocked on WAN. The internet works for LAN because LAN clients are the ones that initiate connection out to the internet. Nobody can initiate a connection into the system from the internet, because everything is blocked on WAN.
Since you have connection from LAB to pfSense, and you have a pass all rule on LAB, it should just work. This is normally a 2 minute job to configure on pfSense.
Post your LAB rules and outbound NAT setting screen and anything else you rhink you might have set that is relevant. -
You only need pass rules on LAB interface. It is the rules on the interface where the traffic starts that are used. For example, a default install will have a pass all rule on LAN and everything blocked on WAN. The internet works for LAN because LAN clients are the ones that initiate connection out to the internet. Nobody can initiate a connection into the system from the internet, because everything is blocked on WAN.
Since you have connection from LAB to pfSense, and you have a pass all rule on LAB, it should just work. This is normally a 2 minute job to configure on pfSense.
Post your LAB rules and outbound NAT setting screen and anything else you rhink you might have set that is relevant.Dear Phil,
attached are screenshots of LAB/NAT outband,thank you so much
-
The first rule with destination WAN Address is the problem. That is only allowing traffic with a destination of your particular public IP on WAN, which is not so interesting for LAB clients to browse ;) They probably also want to get to destinations like google.com pfsense.org and so on. Change that rule to destination any (*) and LAB net will get full access.
(Of course you can design a set of restricted pass rules to only allow access to certain public IPs, certain ports… but that is a whole lot more complex than allowing destination any) -
The first rule with destination WAN Address is the problem. That is only allowing traffic with a destination of your particular public IP on WAN, which is not so interesting for LAB clients to browse ;) They probably also want to get to destinations like google.com pfsense.org and so on. Change that rule to destination any (*) and LAB net will get full access.
(Of course you can design a set of restricted pass rules to only allow access to certain public IPs, certain ports… but that is a whole lot more complex than allowing destination any)Dear Phil,
thank you for your help, I've edite the rule, however it still not allows me to go to the internet
any more suggestions please?
also I've noticed today is when I am connected with the VPN, I can't reach the machines behind the WAN.
I've created a rules from the OPNEVPN to the WAN to allow any but still can't reach the WAN or ping them .
I believe for PING need to allow icmp from OPENVPN toward WAN, but it not important really the ping, what important is the to reach the machines behind ! -
It is time to post a network diagram - I think we are misunderstanding something.
Does WAN go directly to the real internet? or is it attached to some other "real" LAN that then gets to the internet?
Does traffic from pfSense LAN devices get out through pfSense WAN OK?
Can you ping to the internet (like 8.8.8.8) from pfSense itself?also I've noticed today is when I am connected with the VPN, I can't reach the machines behind the WAN.
I don't quite understand what you mean by "behind the WAN"? Do you mean machines in LAN and LAB?
Post more detail of your OpenVPN server config - what is in "Local Network/s" and your OpenVPN rules… -
It is time to post a network diagram - I think we are misunderstanding something.
Does WAN go directly to the real internet? or is it attached to some other "real" LAN that then gets to the internet?
Does traffic from pfSense LAN devices get out through pfSense WAN OK?
Can you ping to the internet (like 8.8.8.8) from pfSense itself?also I've noticed today is when I am connected with the VPN, I can't reach the machines behind the WAN.
I don't quite understand what you mean by "behind the WAN"? Do you mean machines in LAN and LAB?
Post more detail of your OpenVPN server config - what is in "Local Network/s" and your OpenVPN rules…Dear Phil,
Internet >>>> ISP Gateway>>>>>PFSENSE with 3 NICS
PFSENSE >>>>> NIC1 192.168.2.X
PFSENSE >>>>> NIC 2 ( LAN ) 192.168.4.x
PFSENSE >>>>> NIC 3 LAB 192.168.5.Xso when the VMS are configured to use the LAB NIC as Gateway they can't browse to the internet dont know yet why !
when the VMS are configured to use the LAN NIC as gateway the internet works fine no issues !i have configured the Tunnel Subnet to use 192.168.200.0/24 so when my VPN client is connect with VPN recieved 192.168.200.x as IP after that they can reach all the VMWARE are behind the NIC2/NIC3 of Pfsense but not the Machines are behind the NIC1 like my ISP gateway.
waiting for your answer
thank you so much -
For reaching devices on the private part of the WAN (192.168.2.x) , you will need to include that in Local Network/s on the OpenVPN server settings, so the OpenVPN client receives a route to it.
Your LAB settings should work! Automatic Outbound NAT should NAT anything from LAN, LAB and OpenVPN tunnel when going out WAN. Look in /tmp/rules.debug for <tonatsubnets>- there should be a list including LAN, LAB and OpenVPN tunnel.
I can't think what to change next, so post screenshots of your rules now, and an "ifconfig" or "ipconfig /all" of a LAB client.</tonatsubnets> -
For reaching devices on the private part of the WAN (192.168.2.x) , you will need to include that in Local Network/s on the OpenVPN server settings, so the OpenVPN client receives a route to it.
Your LAB settings should work! Automatic Outbound NAT should NAT anything from LAN, LAB and OpenVPN tunnel when going out WAN. Look in /tmp/rules.debug for <tonatsubnets>- there should be a list including LAN, LAB and OpenVPN tunnel.
I can't think what to change next, so post screenshots of your rules now, and an "ifconfig" or "ipconfig /all" of a LAB client.</tonatsubnets>Dear Phili,
do you mean create rules on both sides ( LAB+LAN) to allow to WAN subnet ? -
Sorry, I was off-line for a while - had a major fibre cut here, and ISPs don't have working failover!
I think your LAN and LAB firewall rules already have rules that allow general internet access, and that will include to the WAN-side private IP address subnet. You would also need a rule/s on the OpenVPN tab to permit traffic to the WAN-side network. But I think those are already there?
The main thing I suspect is the the OpenVPN server "Local Network/s" box needs to have the full list of LAN, LAB and WAN-side private subnets specified so that routes are given to the OpenVPN client.
Post some OpenVPN settings and rules, and the definition of <tonatsubnets>from /tmp/rules.debug</tonatsubnets> -
For reaching devices on the private part of the WAN (192.168.2.x) , you will need to include that in Local Network/s on the OpenVPN server settings, so the OpenVPN client receives a route to it.
Your LAB settings should work! Automatic Outbound NAT should NAT anything from LAN, LAB and OpenVPN tunnel when going out WAN. Look in /tmp/rules.debug for <tonatsubnets>- there should be a list including LAN, LAB and OpenVPN tunnel.
I can't think what to change next, so post screenshots of your rules now, and an "ifconfig" or "ipconfig /all" of a LAB client.</tonatsubnets>Dear Phil,
thank you so much for your help once again,
attached are screenshots from a LAB client and VPN rules
please note : LAB-LAN isn't attached to a fysique NIC as showed on the screenshotswaiting for your answer
-
The first rule is allowing everything on that side to everything, no need for the second rule.
-
The first rule is allowing everything on that side to everything, no need for the second rule.
do you mean removing the second rules would allow the connection to the WAN over the VPN ?
-
I mean that the second rule is redundant, since the first rule is already allowing anything anywhere on that interface.
-
I mean that the second rule is redundant, since the first rule is already allowing anything anywhere on that interface.
i was thinking the same however the client can still not reach the WAN from VPN and also not to the internet,
any more suggestions please?