Routing between two directly connected PFsense servers

dalygrey · Aug 3, 2016, 1:01 AM

Hello, I decided to join after beating my head against a wall for a bit today and thought this would be a good intro to the forum.
I've got a situation where I've got two Pfsense boxes with 3 interfaces each. Each one has their own internet connection and their own LAN subnet. I added the 3rd interface to each with the hopes that I could use that to 'link' the two boxes together and allow for some static routing between the two.
For the sake of this we'll do this.
Pfsense1
WAN: Comcast
LAN: 192.168.1.1/24
OPT1: 172.16.20.1/24

Pfsense2
WAN: Comcast
LAN: 10.1.1.1/24
OPT1: 172.16.20.2/24

My ultimate goal would be to allow workstations from 10.1.1.1/24 access on a specific port to a server on 192.168.1.1/24 (how bout 192.168.1.50).
To test all of this before implementing I configured two brand new installs of 2.3-release with 3 interfaces on both, configured like above.

I directly connected the two OPT1 interfaces and made firewall rules to allow traffic from anywhere to anywhere (at this point).
I also created a new gateway on each on the OPT1 interface and specified the IP address of the other box's OPT1 interface IP.

From PFsense I can ping the OPT1 interface of the other box, but I can't ping the LAN interface of the other box. Even adjusted firewall rules, tried making an outbound NAT rule. At this point I think i've changed so many things try to get a positive result on that test that I may just reinstall and start from scratch.

What I came here to ask was this: Can anyone point to a walkthrough, or some common steps, with this idea of directly connecting two PFsense boxes and allowing the LANs from each side to talk to each other? I can create more restrictive firewall rules later.

Thanks

dalygrey · Aug 3, 2016, 6:20 PM

Read and commented in this thread too basically about the same topic:
https://forum.pfsense.org/index.php?topic=115514.0
I went back to square one and started over. Still ended up with the same results. Then I restarted both instances of pfsense and upon restart I could ping the LAN subnet on the other side.

I do this everytime. Beat my head against a wall and then find that rebooting solves a lot of things.

pwood999 · Aug 16, 2016, 2:49 PM

Would be a lot easier using a single PfSense server with 4 interfaces. Then you can simply configure Dual-WAN and Dual-LAN with routing & firewall rules as required.

Additionally both LAN segments could use the WAN's for load balancing or failover.

gjaltemba · Aug 16, 2016, 4:03 PM

Did you add a static route to the LAN on the other pfSense?

https://doc.pfsense.org/index.php/Static_Routes

bradsm87 · Aug 17, 2016, 10:42 AM

Don't add the gateway in the interface page. Having a gateway present there makes it assume that it's a WAN and to do NAT. Just add the gateways and static routes in System > Routing. You should be able to do internet failover between the two PFSense devices as well, simply by setting up a gateway group on each with its primary WAN as the Tier 1 and the address of the other PFSense as the Tier 2.