Internet -> pfsense firewall -> pfsense appliance mode help
-
Hi,
I'm really new at this and I could do with a little guidance on how to solve what seems like a routing problem.The setup I have is:
Internet router –--- (WAN) PfSense firewall (OPT1) ----- (WAN) PfSense appliance mode
10.0.0.1 ----- 10.0.0.2 172.0.0.1 ----- 172.0.0.2From the firewall I can access the Internet and the appliance.
From the appliance I can access the firewall but not the Internet.I think it is a routing problem because when I "Disable all packet filtering" the problem persists. I'd like to appliance to be able to communicate with the Internet (mainly for getting pfsense updates and packages).
The firewall has the WAN (and default) gateway set to 10.0.0.1; the appliance has the default gateway set to 172.0.0.1. I didn't configure any routes on either pfsense for the 172 network.
The firewall has an upstream gateway set to 10.0.0.1 on the WAN interface; but I didn't set an upstream gateway for the WAN interface on the appliance.
I can ping from the appliance to 172.0.0.1 and to 10.0.0.2; and I can ping from the firewall to 172.0.0.2
Any suggestions on how I can get to the solution to this?
Thanks,
Ty -
@tyn:
Internet router –--- (WAN) PfSense firewall (OPT1) ----- (WAN) PfSense appliance mode
10.0.0.1 ----- 10.0.0.2 172.0.0.1 ----- 172.0.0.2What is "pfSense appliance mode"? Is that another pfSense behind the "pfSense firewall)?
You didn't think double NAT sucked enough so you wanted to try and make it worse… ;)…the appliance has the default gateway set to 172.0.0.1...
…but I didn't set an upstream gateway for the WAN interface on the appliance...
Those two statements are conflicting with each other, or at least there are some vital information is missing in your post I think.
-
Thanks for the response P3R.
In he Pfsesne wiki https://doc.pfsense.org/index.php/Installing_pfSense#LAN.2C_WAN.2C_OPTx it uses the term pfsense appliance mode:
NOTE: If only one NIC is assigned (WAN), This is called Appliance Mode. In this mode, pfSense will move the GUI anti-lockout rule to the WAN interface so the firewall may be accessed from there. The usual routing functions would not be active since there is no "internal" interface. This type of configuration is useful for VPN appliances, DNS servers, etc.
So I thought I should use the same terminology so people would understand what I am talking about.
Pfsense is so easy to use that I will use the appliance for some other (other than firewall) functions that I am not comfortable co-hosting on my boundary firewall.
With respect to the upstream gateway configuration: I am a bit surprised as well. I had assumed that the default gateway and the WAN upstream gateway were synonymous but in my System->Routing->Gateways screen it has the GW_WAN(default) entry for the WAN interface, and in the Interfaces->WAN screen the IPv4 Upstream Gateway is set to None. The description says:
If this interface is an Internet connection, select an existing Gateway from the list or add a new one using the link above.
On local LANs the upstream gateway should be "none".Since it isn't connected to the Internet directly I assume it shouldn't be set; just like a LAN doesn't have it set.
When I set the upstream gateway to 172.0.0.1 nothing changes; also no new entries appear in the System->Routing->Gateways screen.
Does anyone know of a way I can diagnose the problem better?
-
@tyn:
So I thought I should use the same terminology so people would understand what I am talking about.
Probably wise. Hopefully someone of the more experienced guys can help you with the unusual configuration that I had never even heard of. :)
Since it isn't connected to the Internet directly I assume it shouldn't be set; just like a LAN doesn't have it set.
If I understand the linked description of the appliance mode correctly, that only interface is considered the WAN (not LAN) interface and even disregarding that, since you want to it to be able to communicate further than the attached network my conclusion would be that you should have a upstream gateway (172.0.0.1) set.
Have you disabled the bogon and private network rules on the WAN interface (if they are enabled in that mode?), as otherwise that would be a deal breaker for you I assume?
I'm thinking that since pfSense is multi-WAN capable, probably upstream gateway or simply gateway is more appropriate terminology than default gateway. At least I'm aware of no other difference.
-
I got the communication working. It turns out that the pfsense configuration is fine. The problem was my Internet router. I added a static route on it to tell it that the gateway for the 172 network is the 10.0.0.2 WAN interface of pfsense.
I'm not sure I understand why the packets couldn't find their way back to the 172 network since the communications are always initiated from the 172 network. I assume it is something to do with the NAT that the Internet router does.
-
I'm not sure I understand why the packets couldn't find their way back to the 172 network since the communications are always initiated from the 172 network. I assume it is something to do with the NAT that the Internet router does.
I guess your pfSense firewall was not applying NAT to the traffic from 172 as it exited to 10.0.0.1 - and so the router at 10.0.0.1saw the source IP as 172.0.0.2 but when trying to reply it had no route to there. Most routers (and even stateful firewall/routers) do not remember specifically where incoming state/flows came from in order to reply - they just use their own routing table to reply.