Stuck setting up my lab environment with VM PFSENSE

123yahyaa

Hello All, welcome to my conundrum. Hoping someone can help

The problem
Client machines can ping the host and internet just fine. but the host cannot ping the client machines.
I need to be able to communicate from the internet into the client machine. Seems weird that I can ping out from them, but not into them.
The clients can ping each other fine.

My Setup
physical Virgin router connected to internet - 192.168.0.1
Host PC - 192.168.0.5
pfsrouter (hosted on host pc as VM) - WAN 192.168.0.2 gw 192.168.0.1(Bridged) - Lan 1 192.168.1.1 - lan2 192.168.2.1
Client machine 1 (hosted on host pc as VM) - 192.168.1.100 gw 192.168.1.1
Client machine 2 (hosted on host pc as VM)  - 192.168.2.100 gw 192.168.2.1

Win firewalls turned off
double checked all ip settings which are correct
from the host pc, i can ping all pfs gateways

Have i configured this correctly?

KOM

I need to be able to communicate from the internet into the client machine. Seems weird that I can ping out from them, but not into them.

It's not weird, it's normal and expected.  What good is a firewall if Joe Random can just beam in to your network from the Internet????

If you want to make services on your LAN accessible from WAN, then you need to create what's called a port-forward:

https://doc.pfsense.org/index.php/How_can_I_forward_ports_with_pfSense

https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

laurenzzo

Hi 123yahyaa,

Have a look on the NAT, how it works it's the main reason why it doesn't work.

if you want to be able to access the whole network in both ways, you should turn it off, and add specific gateways into your router (to be able to find your local networks by asking your pfsense)

but, as said by KOM, if you are just looking to access 1 thing (e.g. webpage on a client), you can create a port forward on your pfsense to say "if someone knock to my door on port 80, I'll forward the request to client 1 on port 80"

good luck :)

Laurenzzo

123yahyaa

@laurenzzo:

if you want to be able to access the whole network in both ways, you should turn it off, and add specific gateways into your router (to be able to find your local networks by asking your pfsense)

Thanks for your replies.

currently Firewall is set to allow all ipv4 traffic. I think I may need to buy a new router to set up static routes then..

Unfortunately port forwarding wont work for me as its a secondary subnet of a domain thats sitting behind the pfs.

johnpoz

"Unfortunately port forwarding wont work for me as its a secondary subnet of a domain thats sitting behind the pfs."

How is that??  You can port forward behind a double nat, its just a PITA is all ;)

Say you want port 80 to some box behind pfsense at 192.168.1.100 and you have this nat setup

internet - publicIP wan ispdevice lan (.1) – 192.168.0/24 -- .2 (wan) pfsense (lan) .1 -- 192.168.1/24 -- .100 box

So on ispdevice forward port 80 to 192.168.0.2 pfsense wan, on pfsense forward 80 to 192.168.1.100

Or to make things simpler put pfsense wan IP 192.168.0.2 as the dmz host of your ispdevice/router in front of pfsense if the device supports that feature.  While double/triple nat should be avoided yes.. Its not like you can not port forward through it.

123yahyaa

Okay, so i kind of got it working, but something is still not right.

I set static routes on the router to point to my pfsense for the two subnests, 192.168.1.x and 2.x .
I then connected my host into the router via eth cable. (192.168.0.5)

I can ping the subnets!!! (192.168.1.100 & 192.168.2.100) :) I also tested by connecting a laptop to the router, it can also ping the clients behind the pfs vm

However, i have a cable running across my house. So to switch to wifi I simply set ip to obtain auto on lan nic and re-configured on wifi nic on the host. Now i cannot ping!!! Ive checked the bridge connections on vm workstation. No ips have been changed whatsoever.

Starting to think this is a VM compatibility issue? But why can i ping out from the VM, just not into it.

right PITA!

johnpoz

"But why can i ping out from the VM, just not into it."

How are you trying to ping to something behind a nat??  You did what for routes?  You do not have to create routes for pfsense sitting behind a double nat..  You would have to create routes if pfsense is NOT natting.. And now pfsense is a downstream router from your main router?

Where are you trying to ping and what IP are you trying to ping.  If you put pfsense behind your main router and its not natting.. You now have your 192.168.0/24 as a transit - so your trying to ping from the transit network to what IP??

Draw up your network..

123yahyaa

Network Diagram attached. First line is IP second is GW, all is on /24 mask.

Im trying to ping client pc1 and 2 from my laptop.
at the moment, i can ping from both laptop and host pc, the pfsense vm, nothing further.
I can also ping the laptop and the internet from the client pcs

the router 192.168.0.1 has static routes set up to pfsense router, 192.168.0.2.

When the wifi link between host pc and isp router is replaced for a cable, I can ping the client pcs from the laptop. when its on wifi, i cannot.

Firewall settings on the isp router are turned off
firewall settings on the PFsense is set to allow all on all interfaces