Multi Lan – Dual pfSense routing

mrmastii

Hello pfSense Gurus,
I am stuck in a simple yet complex situation (at least I feel like it)

I have two different LAN subnets, one with 172.16.7/24 net other with 172.16.8/24 net.

Now I am trying to route traffic from one network to other in a simplest way, any suggestion?

-Mr.Mastii

Question_1.png_thumb

jasonlitka

Are your two pfSense boxes using NAT between the 192.168.1.0/24 and 172.16.[7-8].0/24 networks? If so, you can't, not without a VPN tunnel anyway.

If NAT is disabled and they're routing then all you should need to do is add a static route to each which says to use the public IP of the opposite box as the gateway for their private network.

mrmastii

Hi Jason,
Thank you for quick reply.
After reading your comment I realized that my previous diagram had missing information, i.e. LAN:3 of 10.10.10 /24 connected to both pfSense via switch

Attached is the updated version of the diagram

-MM

Question_1.1.png
Question_1.1.png_thumb

phil.davis

LAN3 should be just an ordinary LAN - no gateway set on the Interfaces->LAN3 page on either pfSense.

pfSense 1
System->Routing, add a gateway 10.10.10.7
Add a static route to 172.16.7.0/24 through the 10.10.10.7 gateway

pfSense 2
System->Routing, add a gateway 10.10.10.8
Add a static route to 172.16.8.0/24 through the 10.10.10.8 gateway

Add rules as needed on LAN1 nd LAN2 to permit traffic.

mrmastii

I am not sure what I am doing wrong… I followed your instructions, but still its not working. I cant ping from one subnet to another.

Please see attach screen snaps
-Mm

PF_RT_4.png_thumb

PF_RT_3.png_thumb

PF_RT_5.png_thumb

PF_RT_6.png_thumb
PF_RT_2.png_thumb

PF_RT_1.png_thumb

mrmastii

@mrmastii:

I am not sure what I am doing wrong… I followed your instructions, but still its not working. I cant ping from one subnet to another.

Please see attach screen snaps
-Mm

Added routing table for ref

PF_RT_7.png_thumb

PF_RT_8.png_thumb

jasonlitka

Ok, did you add any firewall rules on either side to allow the traffic through?

mrmastii

Yes Sir, I did.
Attached are Rule screen snaps

-MM

9.png_thumb

10.png_thumb

11.png_thumb

12.png_thumb

phil.davis

The rules are for traffic arriving on an interface. You can delete rules on each LAN that have "source LAN3" because LAN3 source IPs will never arrive on either LAN. Also delete rules on each LAN3 that have "source LAN" because traffic from the LAN that is local to each pfSense will never arrive on LAN3.

You need a rule on LAN3 that allows traffic with source "the LAN subnet of the opposite pfSense". It is probably easiest to make an Alias on pfSense1 for the pfSense2 LAN subnet - "RemoteLAN" - and then add a rule on pfSense1 LAN3 to pass source "OtherLAN".
Then do the same pattern of thing on pfSense2 to allow traffic from pfSense1 LAN.