Connecting two SG-1100's for Production and Lab

csfshore

Apologies in advance, I’m sure this has been asked
and answered 1000 times. I don’t know the terminology.
Net - want to connect a SG-1100 to an existing SG-1100
to create a lab environment.

First SG-1100 OPT port (192.168.1.2/24) connected
to Second SG-1100 WAN port (192.168.1.1/24)

Second SG-1100 LAN port assigned 192.168.100.0/24
(I want Lab to use 192.168.100.xxx addresses)

What am I missing to get out to the Internet?

(I can access if I plug directly into OPT.
Connectivity is not an issue)

BossaOps

@csfshore Should just need to set a static route/gateway in the Lab SG-1100 pointing to 192.168.1.2 , that will work initially, you may have some odd problems from double NAT, but you have to start somewhere. Of course, don't forget DNS.

csfshore

@bossaops Thanks for reply.

Do I do that on the SECOND (LAB) SG-1100
or on the "upstream" FIRST SG-1100??

(Make the Second SG-1100 LAB WAN port a gateway
and and set a static route from Second LAB SG-1100
LAN port?)

BossaOps

@csfshore On the second(Lab) one.

csfshore

@bossaops

OK, I have this so dorked, nothing works.
Hoping a picture will help

Have tried every permutation, and now have no gateways in
LAB box, (I delete with abandon) and pulled all my hair out.

What I would like is to treat the connection from OPT
(on PROD) to serve as my WAN connection in LAB.

I would like the LAB LAN port network (192.168.1.100)
to route to the Internet. I'd like to think I am close.... :-)

Thanks for any help

bobbenheim

@csfshore If you change your LAN to 192.168.100.1/24 then you should be good to go, assuming nothing is a typo on the picture.
Other than that you might need to check if you have some boxes ticked in Interfaces > WAN Reserved Networks (scroll to bottom)

csfshore

@bobbenheim Thanks for reply,
Damn - no that's a typo.
It should be 192.168.100.1/24!

However, (I'm pretty sure) that's where I started
with and it didn't work and was suggested that
a static route was needed.

Do I need a gateway on the LAB WAN SG-1100?
I'm a little cross eyed at this point and have deleted
so many gateways and static routes, I don't know
what "default" should look like. Thanks

bobbenheim

Have you unticked Block private networks and loopback addresses in Interfaces > WAN?

csfshore

@bobbenheim
Yes, that is unticked. I am at a point now
where I can ping external addresses numerically
and ping them by name, but I get no web traffic.

Nothing comes up in browser.....

csfshore

@csfshore

Should I be doing something to the firewall??

bobbenheim

@csfshore So you are able to ping IP addresses like 8.8.8.8 from hosts on your lab LAN?

csfshore

@bobbenheim Yes, I am able to ping external ip addresses
numerically, and external sites by name (www.apple.com, etc.)

When I try www.apple.com (any external site) in browser, it just hangs

bobbenheim

@csfshore Only rules needed would be allow all to any on OPT and of course NAT, which should already be present at your LAB SG-1100 by default.
Assuming you are using Windows have you checked something isn't blocked in the Windows firewall?

csfshore

@bobbenheim On a Mac, but firewall is not turned on.

My thinking is that I need a static route, as the ICMP (ping) stuff goes through, but the higher level TCP/UDP doesn't

Does that make sense?

bobbenheim

@csfshore If you can ping external addresses then you have a route outside your network, if you can resolve FQDN (DNS) then you got UDP working. How does your rules on OPT and on your LAB SG-1100 looks like?

csfshore

@bobbenheim Only 1 rule on OPT (upstream SG-1100)
"Default allow OPT to any rule"

Downstream LAB LAN "Anti-Lock out rule" and
"Default allow LAN to any rule"

I DO have a gateway in the downstream LAB SG-1100
which is set to the address of the downstream WAN port

bobbenheim

@csfshore You can try and do a packet capture on OPT and WAN in your LAB and see if anything gets through when your trying to access the WWW.

csfshore

@bobbenheim OK thanks, that might be above my skill level, but I have been working my way through this and learning a lot. Appreciate your help. I know I could just
plug in a switch. :-)

Let me ask this another way, should this work?
Is what I am doing so bizarre and specialized that
I am pushing the boundaries of networking?

Perhaps rather than trying to troubleshoot, how would
this be set up with two out of the boxes SG-1100s?

I have no issue with starting "fresh"

bobbenheim

@csfshore It should be possible and i have done it before, when i have tested some equipment, just not with two PFSense units but that shouldn't make a difference.
Doing double NAT is just another problem to deal with and is easier just to avoid. If you have connectivity on your Production LAN you could reset your LAB unit and connect it to LAN instead of OPT to rule out miss configuration on your Production unit.

csfshore

@bobbenheim OK let me try that. The fact that I can connect directly to OPT and browse, suggests to me
that the issue is within the LAB box.

FWIW I did run packet trace and looked at logs, and
while I am not exactly clear what I am looking at I see nothing out of the ordinary but this:

/interfaces.php: Gateway, none 'available' for inet, use the first one configured. 'WAN_DHCP'

In looking through forums, that doesn't seem like a stopper
as it is not pervasive, just a few entries.