PfSense WAN in subnet with inbound communication from WAN



  • Hello,
    I am looking for a little bit of help and advice with reconfiguring my network with pfSense. I have tried to do it myself using google, youtube and reading the forum, however I still have not been able to get it working properly.

    This is the current physical topology:

    IP Router [172.25.0.1/24] –-----> Internal Router [172.16.0.1/24] –-------> Network switch A (physically connect to switch B)---------> Unmanaged switch ---------> Computer group A
                        |                                                                                              |                        |
                        |-[Connected without DHCP in case of internal router crash]-|                        |
                                                                                                                                      Network switch B (physically connect to switch A)–-------> Computer group B
                                                                                                                                                                                                                        |
                                                                                                                                                                                  [Here is the only possible place for pfSense box]

    What I would like the actual traffic topology to be is this:

    IP Router [172.25.0.1/24] –-------> Internal Router [172.16.0.1/24] –-------> Network switch A (physically connect to switch B) ---------> Unmanaged switch --------->Computer group A
                    |                                                                                                                                                                                                                                                                            |
                    |                                                                                          |----------------------------------------------- Specific computers --------------------------------------------------|
                    |                                                                                          |
          Network switch B (physically connect to switch A) ---------> pfSense box [172.16.100.1/24] –-------> Computer group B

    The physical topology of the setup is such that the up IP router (internet gateway), Internal router and connection between the two network switches cannot be changed. The IP router is also connected directly to switch 'A' with no DHCP set on the IP router so if internal router crashes I can (using static ips) still get access to the IP router. The two network switches are connected by a single port, the switches themselves are semi managed (ie they have 802.1Q and port based vlan but that's about it).

    I am have tried setting nat/firewall rules, messing around with subnets and routing but so far haven't been able to achieve what I am trying to do. Getting the 'B' group setup is easy enough but having it so only specific computers in group 'A' can talk to computers in group 'B' has eluded me. (Also using vpn to get machines from group A to talk to B isn't really an option as a couple of them cannot run vpn clients, I refer to computers as a generic term).

    I am pretty new to pfSense so this might be an easy solution for someone more experienced so I would greatly appreciate any help.

    Is what I am trying to do even achievable?

    Basically I want to have two networks, have specific computers in 'A' talk to 'B', have all of 'B' able to talk to 'A'. Communication on all ports if that's possible.

    Limiting factors are the single port connection between switch 'A' and 'B', the fact only the two switches are VLAN aware, and of course the fact I am new to pfsense/vlan/this type of setup.



  • Why isn't it possible to put the pfSense box between the switches A and B?
    That way you intend, you will need an additional switch on pfSense LAN.

    In the WAN interface settings on pfSense remove the check at "block private networks" and give it an IP in 172.16.0.1/24. As upstream gateway set the internal IP of the internal router.

    Since the pfSense LAN network is an additional network segment, you will need static routes on either switch for 172.16.100.1/24. On the internet gateway it has to point to the internal router and on this it has to point to pfSense Wan address.

    To get access from group A to group B you have to set appropriate firewall rules on WAN interface. For the communication from B to A the default allow rule on LAN interface should fit.



  • @viragomann:

    Why isn't it possible to put the pfSense box between the switches A and B?
    That way you intend, you will need an additional switch on pfSense LAN.

    In the WAN interface settings on pfSense remove the check at "block private networks" and give it an IP in 172.16.0.1/24. As upstream gateway set the internal IP of the internal router.

    Since the pfSense LAN network is an additional network segment, you will need static routes on either switch for 172.16.100.1/24. On the internet gateway it has to point to the internal router and on this it has to point to pfSense Wan address.

    To get access from group A to group B you have to set appropriate firewall rules on WAN interface. For the communication from B to A the default allow rule on LAN interface should fit.

    You are right, I meant to show the single connection from switch 'A' going into pfSense, then pfSense connected to switch 'B'.

    The switches have no ability to static route (GSS116E - ProSAFE 16-port Gigabit Click Switches), the only devices that can static route is 'Internal router' and of course pfSense.

    I have tried setting it up with pfSense WAN on 172.16.0.1/24 with gateway of 172.16.0.1 and a static route on 'internal router' for 172.16.100.1/24 to 172.16.0.100 (pfSense IP), also disabled "block private networks". For some reason that didn't work, I couldn't ping any 172.16.100.1/24 device from a 172.16.0.1 device.

    In terms of internet connection, would the setup you described be using the internal router for internet or can I use the ISP router for that?

    Thank you for the advice, I will give your suggestion another go tomorrow as no doubt I did something wrong.



  • I tried it again, still not able to ping a device in 172.16.100.1/24

    I added a WAN firewall rule to allow source network 172.16.0.1/24 to any. Only other firewall rule is the one for bogon networks.

    LAN is set with static ip 172.16.100.1/24, rest default.
    WAN is set with static ip 172.16.0.222/24, upstream gateway 172.16.0.1 and block private networks unticked, rest default.

    Added static route on internal router for host 172.16.100.0, 255.255.255.0 and gateway 172.16.0.222 on LAN interface.

    When I ping a device on 172.16.100.1/24 from 172.16.0.233 I get this from ping:

    Request timeout for icmp_seq 4
    92 bytes from router.asus.com (172.16.0.1): Redirect Host(New addr: 172.16.0.222)
    Vr HL TOS  Len  ID Flg  off TTL Pro  cks      Src      Dst
    4  5  00 0054 b967  0 0000  3f  01 04d4 172.16.0.233  172.16.100.100

    Any idea on what I am doing wrong? Afaik that's all set up right and 'should' work.



  • @iormangund:

    I added a WAN firewall rule to allow source network 172.16.0.1/24 to any.

    Have you also set the protocol to any in that rule? By default pfSense uses TCP only here.

    pfSense also does outbound NAT by default. If you want to achieve a routed environment you should disable this in Firewall > NAT > Outbound



  • @viragomann:

    @iormangund:

    I added a WAN firewall rule to allow source network 172.16.0.1/24 to any.

    Have you also set the protocol to any in that rule? By default pfSense uses TCP only here.

    pfSense also does outbound NAT by default. If you want to achieve a routed environment you should disable this in Firewall > NAT > Outbound

    Yes, anywhere that specifies protocol, I have set to any.

    Just tried disabling NAT outbound, unfortunately it didn't make a difference.



  • Pinging from WAN to LAN over pfSense is straight forward.
    Just the following (already mentioned) options has to be checked.

    • interface config WAN, LAN: IP, mask

    • WAN interface settings: disable "block private networks"

    • a firewall rule to permit the ping

    If these settings are correct it should work.

    You say you have done these settings, but we can not validate, since you post only descriptions. Better to post screenshots of your settings.

    Are you able to ping pfSense WAN IP and LAN IP from 172.16.0.0/24?

    The outbound NAT only takes effect on outgoing connections from LAN to WAN. I know that this isn't a cause here.



  • @viragomann:

    Pinging from WAN to LAN over pfSense is straight forward.
    Just the following (already mentioned) options has to be checked.

    • interface config WAN, LAN: IP, mask

    • WAN interface settings: disable "block private networks"

    • a firewall rule to permit the ping

    If these settings are correct it should work.

    You say you have done these settings, but we can not validate, since you post only descriptions. Better to post screenshots of your settings.

    Are you able to ping pfSense WAN IP and LAN IP from 172.16.0.0/24?

    The outbound NAT only takes effect on outgoing connections from LAN to WAN. I know that this isn't a cause here.

    To the best of my knowledge, it's all set up as described. I tried to pint 172.16.0.1 from 172.16.100.100, however for some reason that didn't work so I'm even more confused now (Edit: Pinging out to 172.16.0.1 seems to work now, the machine I was doing it from was set to static ip, changing it to dhcp seemed to work).
    That's a good point though about screenshots. All other settings I have left as default from the install wizard. Here they are:

    ! pfSense settings (172.16.100.222):





    ! Internal router settings (172.16.0.1):



  • Okay, the settings look fine.
    I think, I'm tired, I haven't consider the following point:
    Since your computers in group A has set their default route to 172.16.0.1, you need a static route on each for the network behind pfSense pointing on pfSense WAN address to reach the hosts. Otherwise packets are sent to 172.16.0.1.



  • @viragomann:

    Okay, the settings look fine.
    I think, I'm tired, I haven't consider the following point:
    Since your computers in group A has set their default route to 172.16.0.1, you need a static route on each for the network behind pfSense pointing on pfSense WAN address to reach the hosts. Otherwise packets are sent to 172.16.0.1.

    I don't quite understand, I cannot set static routes on the computers in group A, only on internal router and pfsense can I set static routes.
    Did another ping test, and seems now I can ping 172.16.100.1 from a device in group A (172.16.0.1/24).
    No luck getting through to an actual machine in group B.

    EDIT: So, sort of good news. Since taking the test machine in 172.16.100.1/24 off static ip and setting it to dhcp I can now ping to and from it across group A and B. Odd that it completely fails with static ip but not dhcp.
    However I cannot do anything other than ping so far, tried rdp and smb but they didn't work.



  • Any computer OS is capable to set a static route. Without it your setup won't work as you intend.

    The only other options are:
    NAT. Assign an virtual IP of 172.16.0.0/24 for each host to pfSense WAN interface and access the computers via these.
    Bridging pfSense WAN-LAN

    In both cases each computer in B get an IP in 172.16.0.0/24.

    If you try to realize a routing environment you have to set static routes.



  • @viragomann:

    Any computer OS is capable to set a static route. Without it your setup won't work as you intend.

    The only other options are:
    NAT. Assign an virtual IP of 172.16.0.0/24 for each host to pfSense WAN interface and access the computers via these.
    Bridging pfSense WAN-LAN

    In both cases each computer in B get an IP in 172.16.0.0/24.

    If you try to realize a routing environment you have to set static routes.

    Yeah, that's why I was using the term computer loosely, sort of things I was including was IOT type stuff, cant set routes on those. Will only actually be one computer in group A that has access to group B, the rest that need access will be 'devices'.

    I'll give your suggestion of NAT a try and see if that helps.

    Edit: actually, just looked at the virtual ip stuff in firewall, way over my head atmo.



  • For NAT you have to assign a virtual IP of type IP alias in Firewall > Virtual IPs.
    After you may also use NAT 1:1 to map the whole network segment.



  • @viragomann:

    For NAT you have to assign a virtual IP of type IP alias in Firewall > Virtual IPs.
    After you may also use NAT 1:1 to map the whole network segment.

    Would that be virtual ip alias of, for instance, 172.16.0.15 in the virtual ip setting, or 172.16.100.15?



  • The aliases have to be in 172.16.0.0/24.

    For instance, you want to add aliases for
    172.16.100.15
    172.16.100.22

    Assumed the respective address is not engaged in 172.16.0.0/24, add
    172.16.0.15
    172.16.0.22

    Type: IP Alias
    Interface: WAN



  • @viragomann:

    The aliases have to be in 172.16.0.0/24.

    For instance, you want to add aliases for
    172.16.100.15
    172.16.100.22

    Assumed the respective address is not engaged in 172.16.0.0/24, add
    172.16.0.15
    172.16.0.22

    Type: IP Alias
    Interface: WAN

    Okay, makes sense, then with NAT 1:1 I have external ip 172.16.0.1 with internal ip and destination set to any?

    (would like to take this moment to say a big thank you for helping me!)



  • In 1:1 you can set the NAT for the whole subnet if you enter 172.16.0.0 at "External subnet IP" and at "Internal IP" select network and 172.16.100.0/24

    It doesn't matter if this also includes IPs assigned to computers in group A, since you haven't add an IP alias for these addresses to WAN.