SOLVED - Joining 2 separate networks with 2 pfSense boxes

Paint

@elliotcater:

Hi, I'm just about to attempt to join 2 self contained networks, already using pfSense as routers using the OPT1 interfaces on each respective router.  Could someone just take a glance at this and tell me if the PC's on the 2 LANs will be able to ping each other?

Many thanks!

---

Just checked and this works…

Yes, this setup will work if you allow subnet 10.0.2.2/24 to talk to subnet 10.0.2.1/24 via firewall rules.

dalygrey

I just set up this example in a lab and have been unsuccessful in pinging from lan to lan.  Although my testing has  been trying to ping the lan interface ip on the other side.  Tomorrow I'll get some more computers and hook those up.

johnpoz

if you can not ping the lan inerface on the other one then pinging pc sure and the hell not going to work.

ivers

Just for the record as this is a good match from search engines - after adding static routes between the pfsense boxes, to so System -> Advanced, up top select Firewall & NAT and check the box Static route filtering - Bypass firewall rules for traffic on the same interface.

johnpoz

Huh?  No that is NOT a good match for search engines… Are you the OP and forgot your login so created another account?

You would not set that sort of setting unless you were hairpin in out an interface and running  - BORKED setup out of the gate, etc. You would never need to do such a setting create a transit network between to pfsense boxes.

elliotcater

Image host died so redrawn from memory, hope it's right!

You have to add the static routes on both boxes.

johnpoz

Exactly… Zero to do with ivers statement that you would have to bypass firewall rules on the same interface..  Thanks for the update to your drawing... That is good addition to the thread for any that might find this..

elliotcater

Yeah, I wasn't quite sure what Ivers is on about with the bypass rules etc…

I understand that Ivers might think the title of the thread (which I assume is indexed) could be good SEO as it is fairly succinct (if I do say so myself! ;)).

So is the transit network (the 10.0.2.0/24 subnet) with static routes on either box the correct what to go?

I did have it set up and working ok but my topology is now different so can't test.

It would be cool, in the event of a downed default gateway; to be able to use the default gateway on router a, from router b's lan (10.0.1.0/24). And vice versa, use the default gateway on router b from router a's lan (10.0.0.0/24).

I did try this but never quite managed it.

itsystemsllc

@elliotcater I know this is quite old but I want to do the exact same thing. My issue is that I'm not getting the route right. The post is missing the configuration you used for successful routing between the devices! Can you update with that info by any chance?

keyser

@itsystemsllc On router A:

• Create a Gateway Called “Router B” with address 10.0.2.2
• Create a static route for 10.0.1.0/24 using “Router B” as gateway

On Router B:

• Create a Gateway Called “Router A” with address 10.0.2.1
• Create a static route for 10.0.0.0/24 using “Router A” as gateway

EDITED for the Typo pointed out by itsystemslic :-)

keyser

@itsystemsllc And remember - you need firewall rules on LAN interfaces (router A/B) for clients to reach out for the remote network - AND:
You also need firewall rules on OPT1 (Router A/B), to allow clients from remote networks to reach the local LAN network.

itsystemsllc

@keyser Excellent! Thank you for that routing info, works now. I changed a line though, as I think you have a typo...

On Router B:
Create a Gateway Called “Router A” with address 10.0.2.1
Create a static route for 10.0.0.0/24 using “Router B” as gateway
Create a static route for 10.0.0.0/24 using "Router A" as gateway