Routing Issue



  • My network:

    WAN<-pfsense(.1)->LAN1(192.168.1.0/24)<–->(.5)Point-to-Point T1 Router(.254)<--->LAN2(192.168.2.0/24)

    Gateway for LAN1 is the pfsense-box (192.168.1.1)
    Gateway for LAN2 is the router (192.168.2.254)

    What would I need to do on the pfsense firewall to allow LAN1 to communicate with LAN2 and allow LAN2 access to the internet?



  • Create a static route on pfSense for 192.168.2.0/24 pointing to 192.168.1.254.

    Set the default gateway on all clients in the LAN2 to 192.168.2.x (IP of your second router).



  • Do I have to do anything for the outbound NAT?



  • Only if you want the subnet behind your second router NATed (which you probably want).
    http://forum.pfsense.org/index.php/topic,7001.0.html



  • @GruensFroeschli:

    Create a static route on pfSense for 192.168.2.0/24 pointing to 192.168.1.254.

    Set the default gateway on all clients in the LAN2 to 192.168.2.x (IP of your second router).

    GruensFroeschli,

    Correct me if I am wrong, but wouldn't Smakynet have to create the static route to the 192.168.2.0/24 network pointing to (using) 192.168.1.5?
    I am gathering that the point-2-point T1 device circuit has ip's of 192.168.1.5 and 192.168.2.254 from his description.

    Let us know your thoughts….. Thanks!



  • Yes you're right.
    It's kind of hard to read these line-ascii-diagrams :)
    I thought the router2 has 192.168.1.254 as WAN.



  • @GruensFroeschli:

    Only if you want the subnet behind your second router NATed (which you probably want).
    http://forum.pfsense.org/index.php/topic,7001.0.html

    Not even in that case. All locally connected subnets, whether locally attached or configured via static route automatically have outbound NAT rules created for every WAN interface. This is true in 1.2 RC versions and newer at least, probably some 1.2 beta releases prior to RC. I don't recall exactly when it was added but it's been that way for a while. You only need AON if you require static port or have some complex NAT needs requiring you to disable the aforementioned automatic behavior.

    I updated the linked page to reflect this.


Log in to reply