Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PfSense WAN in subnet with inbound communication from WAN

    Scheduled Pinned Locked Moved Routing and Multi WAN
    17 Posts 2 Posters 2.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • I
      iormangund
      last edited by

      Hello,
      I am looking for a little bit of help and advice with reconfiguring my network with pfSense. I have tried to do it myself using google, youtube and reading the forum, however I still have not been able to get it working properly.

      This is the current physical topology:

      IP Router [172.25.0.1/24] –-----> Internal Router [172.16.0.1/24] –-------> Network switch A (physically connect to switch B)---------> Unmanaged switch ---------> Computer group A
                          |                                                                                              |                        |
                          |-[Connected without DHCP in case of internal router crash]-|                        |
                                                                                                                                        Network switch B (physically connect to switch A)–-------> Computer group B
                                                                                                                                                                                                                          |
                                                                                                                                                                                    [Here is the only possible place for pfSense box]

      What I would like the actual traffic topology to be is this:

      IP Router [172.25.0.1/24] –-------> Internal Router [172.16.0.1/24] –-------> Network switch A (physically connect to switch B) ---------> Unmanaged switch --------->Computer group A
                      |                                                                                                                                                                                                                                                                            |
                      |                                                                                          |----------------------------------------------- Specific computers --------------------------------------------------|
                      |                                                                                          |
            Network switch B (physically connect to switch A) ---------> pfSense box [172.16.100.1/24] –-------> Computer group B

      The physical topology of the setup is such that the up IP router (internet gateway), Internal router and connection between the two network switches cannot be changed. The IP router is also connected directly to switch 'A' with no DHCP set on the IP router so if internal router crashes I can (using static ips) still get access to the IP router. The two network switches are connected by a single port, the switches themselves are semi managed (ie they have 802.1Q and port based vlan but that's about it).

      I am have tried setting nat/firewall rules, messing around with subnets and routing but so far haven't been able to achieve what I am trying to do. Getting the 'B' group setup is easy enough but having it so only specific computers in group 'A' can talk to computers in group 'B' has eluded me. (Also using vpn to get machines from group A to talk to B isn't really an option as a couple of them cannot run vpn clients, I refer to computers as a generic term).

      I am pretty new to pfSense so this might be an easy solution for someone more experienced so I would greatly appreciate any help.

      Is what I am trying to do even achievable?

      Basically I want to have two networks, have specific computers in 'A' talk to 'B', have all of 'B' able to talk to 'A'. Communication on all ports if that's possible.

      Limiting factors are the single port connection between switch 'A' and 'B', the fact only the two switches are VLAN aware, and of course the fact I am new to pfsense/vlan/this type of setup.

      1 Reply Last reply Reply Quote 0
      • V
        viragomann
        last edited by

        Why isn't it possible to put the pfSense box between the switches A and B?
        That way you intend, you will need an additional switch on pfSense LAN.

        In the WAN interface settings on pfSense remove the check at "block private networks" and give it an IP in 172.16.0.1/24. As upstream gateway set the internal IP of the internal router.

        Since the pfSense LAN network is an additional network segment, you will need static routes on either switch for 172.16.100.1/24. On the internet gateway it has to point to the internal router and on this it has to point to pfSense Wan address.

        To get access from group A to group B you have to set appropriate firewall rules on WAN interface. For the communication from B to A the default allow rule on LAN interface should fit.

        1 Reply Last reply Reply Quote 0
        • I
          iormangund
          last edited by

          @viragomann:

          Why isn't it possible to put the pfSense box between the switches A and B?
          That way you intend, you will need an additional switch on pfSense LAN.

          In the WAN interface settings on pfSense remove the check at "block private networks" and give it an IP in 172.16.0.1/24. As upstream gateway set the internal IP of the internal router.

          Since the pfSense LAN network is an additional network segment, you will need static routes on either switch for 172.16.100.1/24. On the internet gateway it has to point to the internal router and on this it has to point to pfSense Wan address.

          To get access from group A to group B you have to set appropriate firewall rules on WAN interface. For the communication from B to A the default allow rule on LAN interface should fit.

          You are right, I meant to show the single connection from switch 'A' going into pfSense, then pfSense connected to switch 'B'.

          The switches have no ability to static route (GSS116E - ProSAFE 16-port Gigabit Click Switches), the only devices that can static route is 'Internal router' and of course pfSense.

          I have tried setting it up with pfSense WAN on 172.16.0.1/24 with gateway of 172.16.0.1 and a static route on 'internal router' for 172.16.100.1/24 to 172.16.0.100 (pfSense IP), also disabled "block private networks". For some reason that didn't work, I couldn't ping any 172.16.100.1/24 device from a 172.16.0.1 device.

          In terms of internet connection, would the setup you described be using the internal router for internet or can I use the ISP router for that?

          Thank you for the advice, I will give your suggestion another go tomorrow as no doubt I did something wrong.

          1 Reply Last reply Reply Quote 0
          • I
            iormangund
            last edited by

            I tried it again, still not able to ping a device in 172.16.100.1/24

            I added a WAN firewall rule to allow source network 172.16.0.1/24 to any. Only other firewall rule is the one for bogon networks.

            LAN is set with static ip 172.16.100.1/24, rest default.
            WAN is set with static ip 172.16.0.222/24, upstream gateway 172.16.0.1 and block private networks unticked, rest default.

            Added static route on internal router for host 172.16.100.0, 255.255.255.0 and gateway 172.16.0.222 on LAN interface.

            When I ping a device on 172.16.100.1/24 from 172.16.0.233 I get this from ping:

            Request timeout for icmp_seq 4
            92 bytes from router.asus.com (172.16.0.1): Redirect Host(New addr: 172.16.0.222)
            Vr HL TOS  Len  ID Flg  off TTL Pro  cks      Src      Dst
            4  5  00 0054 b967  0 0000  3f  01 04d4 172.16.0.233  172.16.100.100

            Any idea on what I am doing wrong? Afaik that's all set up right and 'should' work.

            1 Reply Last reply Reply Quote 0
            • V
              viragomann
              last edited by

              @iormangund:

              I added a WAN firewall rule to allow source network 172.16.0.1/24 to any.

              Have you also set the protocol to any in that rule? By default pfSense uses TCP only here.

              pfSense also does outbound NAT by default. If you want to achieve a routed environment you should disable this in Firewall > NAT > Outbound

              1 Reply Last reply Reply Quote 0
              • I
                iormangund
                last edited by

                @viragomann:

                @iormangund:

                I added a WAN firewall rule to allow source network 172.16.0.1/24 to any.

                Have you also set the protocol to any in that rule? By default pfSense uses TCP only here.

                pfSense also does outbound NAT by default. If you want to achieve a routed environment you should disable this in Firewall > NAT > Outbound

                Yes, anywhere that specifies protocol, I have set to any.

                Just tried disabling NAT outbound, unfortunately it didn't make a difference.

                1 Reply Last reply Reply Quote 0
                • V
                  viragomann
                  last edited by

                  Pinging from WAN to LAN over pfSense is straight forward.
                  Just the following (already mentioned) options has to be checked.

                  • interface config WAN, LAN: IP, mask

                  • WAN interface settings: disable "block private networks"

                  • a firewall rule to permit the ping

                  If these settings are correct it should work.

                  You say you have done these settings, but we can not validate, since you post only descriptions. Better to post screenshots of your settings.

                  Are you able to ping pfSense WAN IP and LAN IP from 172.16.0.0/24?

                  The outbound NAT only takes effect on outgoing connections from LAN to WAN. I know that this isn't a cause here.

                  1 Reply Last reply Reply Quote 0
                  • I
                    iormangund
                    last edited by

                    @viragomann:

                    Pinging from WAN to LAN over pfSense is straight forward.
                    Just the following (already mentioned) options has to be checked.

                    • interface config WAN, LAN: IP, mask

                    • WAN interface settings: disable "block private networks"

                    • a firewall rule to permit the ping

                    If these settings are correct it should work.

                    You say you have done these settings, but we can not validate, since you post only descriptions. Better to post screenshots of your settings.

                    Are you able to ping pfSense WAN IP and LAN IP from 172.16.0.0/24?

                    The outbound NAT only takes effect on outgoing connections from LAN to WAN. I know that this isn't a cause here.

                    To the best of my knowledge, it's all set up as described. I tried to pint 172.16.0.1 from 172.16.100.100, however for some reason that didn't work so I'm even more confused now (Edit: Pinging out to 172.16.0.1 seems to work now, the machine I was doing it from was set to static ip, changing it to dhcp seemed to work).
                    That's a good point though about screenshots. All other settings I have left as default from the install wizard. Here they are:

                    ! pfSense settings (172.16.100.222):





                    ! Internal router settings (172.16.0.1):

                    1 Reply Last reply Reply Quote 0
                    • V
                      viragomann
                      last edited by

                      Okay, the settings look fine.
                      I think, I'm tired, I haven't consider the following point:
                      Since your computers in group A has set their default route to 172.16.0.1, you need a static route on each for the network behind pfSense pointing on pfSense WAN address to reach the hosts. Otherwise packets are sent to 172.16.0.1.

                      1 Reply Last reply Reply Quote 0
                      • I
                        iormangund
                        last edited by

                        @viragomann:

                        Okay, the settings look fine.
                        I think, I'm tired, I haven't consider the following point:
                        Since your computers in group A has set their default route to 172.16.0.1, you need a static route on each for the network behind pfSense pointing on pfSense WAN address to reach the hosts. Otherwise packets are sent to 172.16.0.1.

                        I don't quite understand, I cannot set static routes on the computers in group A, only on internal router and pfsense can I set static routes.
                        Did another ping test, and seems now I can ping 172.16.100.1 from a device in group A (172.16.0.1/24).
                        No luck getting through to an actual machine in group B.

                        EDIT: So, sort of good news. Since taking the test machine in 172.16.100.1/24 off static ip and setting it to dhcp I can now ping to and from it across group A and B. Odd that it completely fails with static ip but not dhcp.
                        However I cannot do anything other than ping so far, tried rdp and smb but they didn't work.

                        1 Reply Last reply Reply Quote 0
                        • V
                          viragomann
                          last edited by

                          Any computer OS is capable to set a static route. Without it your setup won't work as you intend.

                          The only other options are:
                          NAT. Assign an virtual IP of 172.16.0.0/24 for each host to pfSense WAN interface and access the computers via these.
                          Bridging pfSense WAN-LAN

                          In both cases each computer in B get an IP in 172.16.0.0/24.

                          If you try to realize a routing environment you have to set static routes.

                          1 Reply Last reply Reply Quote 0
                          • I
                            iormangund
                            last edited by

                            @viragomann:

                            Any computer OS is capable to set a static route. Without it your setup won't work as you intend.

                            The only other options are:
                            NAT. Assign an virtual IP of 172.16.0.0/24 for each host to pfSense WAN interface and access the computers via these.
                            Bridging pfSense WAN-LAN

                            In both cases each computer in B get an IP in 172.16.0.0/24.

                            If you try to realize a routing environment you have to set static routes.

                            Yeah, that's why I was using the term computer loosely, sort of things I was including was IOT type stuff, cant set routes on those. Will only actually be one computer in group A that has access to group B, the rest that need access will be 'devices'.

                            I'll give your suggestion of NAT a try and see if that helps.

                            Edit: actually, just looked at the virtual ip stuff in firewall, way over my head atmo.

                            1 Reply Last reply Reply Quote 0
                            • V
                              viragomann
                              last edited by

                              For NAT you have to assign a virtual IP of type IP alias in Firewall > Virtual IPs.
                              After you may also use NAT 1:1 to map the whole network segment.

                              1 Reply Last reply Reply Quote 0
                              • I
                                iormangund
                                last edited by

                                @viragomann:

                                For NAT you have to assign a virtual IP of type IP alias in Firewall > Virtual IPs.
                                After you may also use NAT 1:1 to map the whole network segment.

                                Would that be virtual ip alias of, for instance, 172.16.0.15 in the virtual ip setting, or 172.16.100.15?

                                1 Reply Last reply Reply Quote 0
                                • V
                                  viragomann
                                  last edited by

                                  The aliases have to be in 172.16.0.0/24.

                                  For instance, you want to add aliases for
                                  172.16.100.15
                                  172.16.100.22

                                  Assumed the respective address is not engaged in 172.16.0.0/24, add
                                  172.16.0.15
                                  172.16.0.22

                                  Type: IP Alias
                                  Interface: WAN

                                  1 Reply Last reply Reply Quote 0
                                  • I
                                    iormangund
                                    last edited by

                                    @viragomann:

                                    The aliases have to be in 172.16.0.0/24.

                                    For instance, you want to add aliases for
                                    172.16.100.15
                                    172.16.100.22

                                    Assumed the respective address is not engaged in 172.16.0.0/24, add
                                    172.16.0.15
                                    172.16.0.22

                                    Type: IP Alias
                                    Interface: WAN

                                    Okay, makes sense, then with NAT 1:1 I have external ip 172.16.0.1 with internal ip and destination set to any?

                                    (would like to take this moment to say a big thank you for helping me!)

                                    1 Reply Last reply Reply Quote 0
                                    • V
                                      viragomann
                                      last edited by

                                      In 1:1 you can set the NAT for the whole subnet if you enter 172.16.0.0 at "External subnet IP" and at "Internal IP" select network and 172.16.100.0/24

                                      It doesn't matter if this also includes IPs assigned to computers in group A, since you haven't add an IP alias for these addresses to WAN.

                                      1 Reply Last reply Reply Quote 0
                                      • First post
                                        Last post
                                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.