Connecting two SG-1100's for Production and Lab
-
@csfshore It should be possible and i have done it before, when i have tested some equipment, just not with two PFSense units but that shouldn't make a difference.
Doing double NAT is just another problem to deal with and is easier just to avoid. If you have connectivity on your Production LAN you could reset your LAB unit and connect it to LAN instead of OPT to rule out miss configuration on your Production unit. -
@bobbenheim OK let me try that. The fact that I can connect directly to OPT and browse, suggests to me
that the issue is within the LAB box.FWIW I did run packet trace and looked at logs, and
while I am not exactly clear what I am looking at I see nothing out of the ordinary but this:/interfaces.php: Gateway, none 'available' for inet, use the first one configured. 'WAN_DHCP'
In looking through forums, that doesn't seem like a stopper
as it is not pervasive, just a few entries. -
@csfshore How are you configuring IP on WAN at LAB, static or DHCP?
-
@bobbenheim Static
-
@csfshore lol. Well while I can't help but think I have missed something very simple, and I appreciate the help, but I am out of ideas.
I dl the .iso and installed on a NUC. Same thing. I can ping
by name and numerically from the downstream LAN.I can browse externally using the upstream WAN cable (no connection to PfSense)
BUT when I am connected to downstream LAN, cannot
browse. Time for a switch! -
@csfshore Can you show a screenshot of your LAB WAN Static IPv4 Configuration
-
@bobbenheim Sure. However, as I biffed the drawing above, thought I would change IPs, just to ensure I'm on the right one.
To level set:
Upstream SG-1100 OPT (192.168.48.1) is connected to
NUC LAB WAN (192.168.48.2 OR DHCP) LAB LAN is 192.168.55.1When I use STATIC (as included) I am unable to ping EXTERNAL from LAB, when I use DHCP I am able to ping numerically and by name.
-
@csfshore As it says in the Static IPv4 Configuration field under IPv4 Upstream gateway you need to provide it with an upstream gateway, just enter 192.168.48.1.
-
@bobbenheim OK. I keep hearing about Static Routes.
Do I need a Static Route? -
@csfshore If you are using a static IP you need to provide a gateway, otherwise the LAB SG-1100 wouldn't know where the exit to the world is. If you add 192.168.48.1 as upstream gateway you should be set.
-
@bobbenheim :-(
No Luck.
Upstream OPT 192.168.48.1/24
Downstream WAN 192.168.48.2/24
iPv4 Upstream gateway (which I was prompted to create as there was none). 192.168.48.1 /24
Can (still) ping by name and numerically, browser just hangs
Plugged directly into OPT works -
@csfshore Have you tried using another DNS, e.g. 8.8.8.8, on your mac? Other than that you could try resetting the SG-1100.
-
@bobbenheim Wish I had a nickel for every time I reset the
SG-1100. :-)Some new info, apparently my sys admin (aka granddaughter) has done the same thing. She has put a Ubiquiti USG downstream on the "prod" LAN link, and it is working for her.
Thought to turn off her setup with downstream USG and try mine with downstream OPT pfSense (NUC at this point) - No Good.
I am at the point where I think there is a definite difference between the LAN and OPT ports on the upstream SG-1100
However, I will try a Ubiquiti USG on OPT.
Appreciate you hanging in here with me.
-
@csfshore Which version of PFSense is on the LAB unit?
Could you try and connect the LAB unit in place of the production one just to rule out the possibility that there might be something wrong with it. -
@bobbenheim That's a good idea, and I thought of that
BUT my ISP is very twitchy wrt mac addresses, and I would have to engage them. SO, the LAB SG-1100 is off to school and I am using the 2.50 community edition on a NUC as the
downstream LAB router.I was hoping for some type of "you have to do x to get the
OPT port to route downstream" or "SG-1100 board level y
needs a firmware update to use the OPT port..." Whatever.Your guidance and my trial and error suggest that this should be possible very easily, so indeed the issue might
lie with the Upstream SG-1100, BUT since it works fine in
"production", (admitedly using only the LAN port) perhaps I replace with a unit that has more than one dedicated LAN port like a SG-2100 or SG-3100...? -
@csfshore I don't know why I get these weird line breaks in my post, it looks fine in the preview window
-
@csfshore There isn't much to it, if you have an extra external IP address from your ISP you can do 1:1 NAT to OPT, otherwise you would just use outbound NAT. Other than that you just need to make allow rules on OPT and that is it, if it works when you connect directly to OPT it doesn't seem likely that is the problem perhaps cabling between the units, does it show any errors at Status > Interfaces?
-
@bobbenheim No errors in Status > Interfaces.
Only when I plug in the downstream router. When plugged in, I can ping by name and numerically. BUT what rules? I have never made any rules. Just plugged in downstream and expected to to work after seeing successful pings. Maybe that's it?? -
@csfshore you would need to do NAT on OPT at your production unit, but i assume that was created automatically since you can ping the outside. The rules are the same allow all that we already went through. Can you show screenshots of your rules on OPT and Firewall > NAT > Outbound on the production unit?
-
