Routing thru 2 pfsenses

Dono96

Hi there,
I'm new in the world of virtualisation. I have installed in XCP-NG platform 2x pfsense and 1x client with windows. I give internet connection from my physical router to first pf , then I want to redirect the traffic into second pf , then to windows10 client. In XCP, I made 4 virtual NICs, 1 for pf1 wan, 1 for pf1 lan (which works) ,1 for pf2 wan and 1 for pf2lan (which doesn't work). This is a part of my bigger project.
The configuration is:
pfsense1 - wan 192.168.xx.xx
lan 172.20.0.xx

pfsense2 - wan 172.20.1.1
lan 172.21.1.xx

windows client should have ip from pf2 via DHCP.

I made a NAT rule in pf1 where i redirect traffic from wan pf1 via protocol 80 to 172.20.1.1 but it doesn't work. When i ping pf1 from pf2 console i get no route to host.
What I am doing wrong?

viragomann

@dono96
Seems you're missing the upstream gateway.
You have to add the pf1 LAN IP as gateway on pf2 in the WAN interface settings. Did you do that?

Dono96

@viragomann I set wan on pf2 on DHCP and I got 172.20.0.xx and LAN on static IP. I can ping pf1 from pf2 console, but that's it. I can't access GUI on pf2 in browser.

viragomann

@dono96 said in Routing thru 2 pfsenses:

I can't access GUI on pf2 in browser.

From where? A device connected to its LAN should have access to it. Otherwise check the network setting of the device and the router.

Dono96

@viragomann Ok so I managed to redirect internet thru pf2 to windows10 client and access GUI of pf2 thru client, everything via DHCP (wan of pf2 is on pf1 lan)
My question is: Can I make this connection having pf2 wan not in pf1 lan? (using vlan,nat).

viragomann

@dono96
Yes, that's even the better way to separate the devices. Doing so, you're able to route between other devices on pf1 LAN and pf2 LAN.

So add a VLAN on both pf1 LAN and pf1 WAN ports, assign interfaces and configure them accordingly.
So you get a transit network between the two firewalls.

Then you can add a static route on pf1 for pf2 LAN and point it to pf2 WAN address.

johnpoz

What is the ultimate goal here with 2 pfsense?

Firewalling network segments from each other do not require 2 firewalls.

Other than a learning experience I am not sure what your overall goal is?

But @viragomann is correct any time you connect 2 or more routers the connections between the routers should be a transit network (no hosts on this network).

Dono96

@johnpoz I'm planning to add more clients and pfsenses and split the traffic into areas like DMZs. After, I'm looking into improving the performance of some traffic type ( ftp for example) using packages like snort or suricata with custom rules. What do you think about this?

johnpoz

@dono96 said in Routing thru 2 pfsenses:

add more clients and pfsenses

Why do you think you need more pfsenses? There is no point to adding firewalls for the sake of firewalls.. You could have hundreds of vlans firewalled from each other with 1 pfsense.

FTP is dead - only thing you should be looking to do with that protocol is not use it ;)