PfSense as main Firewall of the LAN
-
Hello, this is my first post. I am a network admin and put pfSense as main firewall in my network:
WAN 1(Private)–-------------- ------------------ (Servers Net)
| |
WAN 2(Internet)------------------------( pfSense )---------------------
| |
WAN 3(Private)---------------- -----------------------------------------(Internal Net)I was configurated the server as:
re1: Internal Net
re2: Servers Net
re3: WANsOnly WAN2 has internet, the others are connection with others branch of the company. The problem is that from the pfSense I have internet (by WAN 2) but from the servers Net dont work, i see the pfSense, but this dont do the routing to WAN 2, wish is the default gateway of pfSense, i don't know how to tell to pfSense that do the routing from Servers Net interface to WAN 2.
The Network Address of re3 are configurated as Virtual IPs in Firewall, because I configure that in a VLAN method, but it seems that my Layer 2 Switch not support that and the ICMP ping works to the WAN routers but the communication don't, thanks and sorry for my bad english.
-
"i don't know how to tell to pfSense that do the routing from Servers Net interface to WAN 2."
Well what are you outbound nats? And what are you rules for server net interface?
What do you have setup for your gateways? Which one is default?
-
I don't have NAT configurateds, i need that pfSense actuate as a gateway for the Servers, wich they have an Squid running to control de Internet connections, but the Internal Company Network has the pfSense as Gateway too, because for the others WAN it can go directly. The gateways
Example of WAN routers address
WAN1 - 192.168.1.1/24
WAN2 - 192.168.2.1/24 (INTERNET)
WAN3 - 192.168.3.1/24pfSense Address:
WANS:
1: 192.168.1.2/24
2: 192.168.2.2/24
3: 192.168.3.2/24
Servers NET:
1: 192.168.0.254/24
Internal NET (where are the PCs of the employes):
1: 10.0.0.254/24So the gateways of pfSense are 192.168.x.1 and the default is the 192.168.1.1 (Internet). I was configure pfSense as if the Internal NET access only to determinated IPs in the WANs 1 & 3 (not internet) go directly as pfSense gateway and to go to internet need the proxy in the Servers address (192.168.0.3).
-
So your not doing nat? So these wans are all internal networks, and should be transit networks not hosts on them..
Can you draw your overall network up. Why does pfsense have 3 wans?? If you want to use pfsense as some downstream router, then the only wan should be a transit, you could have multiple transits networks. But sounds like these are actual networks??
-
Two of the WANs are connections with a router with another instances of the company, only the WAN2 is used for internet. Transit Network?? i don't understand the mining of that. The network is exactly that i was posted
-
You don't know what a transit network is?
"So the gateways of pfSense are 192.168.x.1 and the default is the 192.168.1.1 (Internet)"
"WAN2 - 192.168.2.1/24 (INTERNET)"So which one is it?? is 1.1 how it gets to the internet or is 2.1 how it does?
So what network(s) are on the other end of this 192.168.3 network for example? You say this is another router.. What networks are attached to that router, how does pfsense know how to get to those networks?
What is the routing table of pfsense? So this other router that pfsense connects to get to the internet is natting the networks behind pfsense. Your not natting at pfsense you stated. So you turned off natting?? Did you turn off firewall as well?
This is basic networking 101, how is you don't know what a transit network is?? Are their any hosts on these 192.168.1 and .3/24 networks? Why are they /24 if they are transit networks that only connect to another router with other networks connected to them? So how do these other networks that are not your internet connection talk to each other? How do they know to route to pfsense to get to your networks behind pfsense?
-
That's image is exactly that i have the network.
The .2.1 (INTERNET) is a router configurated by my ISP. The others two don't have internet and are routers to the other provinces with they endpoints to communicate with this branch.
WAN 1 is only to connect to us from another branch, this is a sub-branch, and the WAN 3 is where my main mail server are (all in the same address space).
Actually the routing table that i have is the automatically generated by pfSense and for test in the firewall I allow all the traffic from the servers net in all interfaces, but when in a server I execute "ping 8.8.8.8" never show nothing, it's seem filtered by pfSense
-
So this router from your ISP is natting all these networks to your internet? You said you turned off natting in pfsense. So for you to ping 8.8.8.8 the isp router would have to nat your networks to whatever your public IP is. And then the return that ISP router would need to know how to get back to that network.
"I don't have NAT configurateds"
So you turned off natting? Or you just didn't configure it?? Out of the box pfsense would auto nat outbound traffic to its wan interface. But if you have multiple wans then you need to make sure you nat correctly.
Please post up your outbound nat tab, and your routing table. So what rules did you create on your interfaces that are not lan? The default lan interface would be any any.
-
I didn't configure it (the NATs gg)… another problem is that the interfaces, the wan routers are connected to a optional interface (opt1), pfSense have inside that these interfaces can be WAN??? or i need put the routers WAN to the interfaces that pfSense say to me, i can't change it??
The ping to 8.8.8.8 inside pfSense is working great, the problem is outside... in the servers net.
The interfaces are:
EMPRESA Interface (wan, re1)
SERVIDORES Interface (lan, re2)
WAN_MAIN_INTERFACE Interface (opt1, re0) (INTERNET)
VLAN_NACIONAL Interface (opt2, re0_vlan1) (WAN 1)
VLAN_PROVINCIAL Interface (opt3, re0_vlan2) (WAN 3)A question…. that the re1 (identify by wan) don't care that don't be attached to the INTERNET??? the main circuit must be:
EMPRESA -> SERVIDORES (SQUID) -> pfSENSE -> INTERNET
EMPRESA -> pfSENSE -> WAN 1 OR WAN 2 (services of my company in other areas)
SERVIDORES -> pfSENSE -> INTERNETthat's the flow that i want... thanks for all the reply
-
Well all works now, changing the cables to the correct interface… thanks
