Multi LAN - one behind router, other not

  • I have this LAN configuration

    Internet (WAN)
    LAN A (  – router (                                    pfSense (
                                                    |                                                      |
                                            VSAT (satellite) -- router ( -- LAN B (
                                                                        LAN C (

    My problem is, LAN A ( not able to browse any webpage. Sometimes, the web is display the home, but when clicking the link, it appears "Cannot be displayed".
    But, seems that downloading working fine. Software like Adobe Updater and AVG Anti virus works fine on downloading the update from internet.

    The LAN B and LAN C have no problems with the connection. I'm confuse. Because LAN C should act the same like LAN A.

    I've been searching for this solution. I'm configuring also the AON, and NATTING the LAN A with static port. But still this problem not solved.

    Can anybody please help meeeeeeeee.....

  • Please tell us a bit more about your pfSense configuration. Are these three LANs three different VLANs on your firewall?

  • i only have 2 interface at my pfsense.
    1 LAN, 1 WAN.
    No bridging.

  • Are the routers behind pfSense doing any NAT?
    If not: Did you create a static route for the subnet pointing to the router leading to the subnet?

  • the cisco routers behind pfsense not doing any NAT.
    I'm creating the static route for the subnet.
    Since the router address is, then i put it right there.

    i'm able to ping to the router from the pfSense (just to make it clear).

    Anyway, the download seems have no problems at all. In my opinion, the routing is worked fine…

    In AON, i'm adding this :

    Interface  Source  Source Port  Destination  Destination Port  NAT Address  NAT Port  Static Port
    WAN  *  *  *  *  *  YES Auto created rule for LAN 
    WAN  *  *  *  *  *  NO
    LAN  *  *  *  *  NO

    what might be wrong?

  • Your AoN rule is wrong.
    The interface refers to "on which interface is traffic outgoing".

    Since you want to NAT to the WAN the interface should be WAN.
    The NAT Address refers to the IP with which NAT should be done.
    –> If you have Virtual IP's on the WAN you could use one of these instead of the WAN-IP itself.
    You should set that back to default.

  • My first setting for interface is WAN, but since it doesnt working, so i've change it to LAN to see the effect-but doesnt solve the problem.

    Ok. I've changed it back the interface to WAN.

    WAN  *  *  *  *  *  NO

    But, still don't work (hiks)

    The NAT Address changed to Interface address. Should i change it to my pfsense WAN address that i've added to the VIP or not?

    Do i need to put the static port YES, or NO?

    The strange thing is…the network is just working for the internet and browser. Strange but true!

  • o ya. just to make it more clear, previously i'm using Mikrotik Router, and it works just fine.
    I'm able to make the access through the internet. In mikrotik, i don't use any NAT for the site.
    I did remember that i just make route from to my WAN interface.

    That's make me wondering, is my problem related to the AON and NAT…or not?

    Because maybe just the static route can make it work with some firewall rules which i can't figure it out.

  • Didnt you moddify the default rule on LAN?
    Per default this rule only allows the LAN-subnet.
    Did you look at the firewall log and see something blocked?

    What i meant with "you should set that back to default": i was referring to the whole AoN.
    You dont need it.


    Every locally connected subnet, whether defined and reachable via a static route or attached to a LAN or OPT interface, will have its outbound traffic leaving any WAN interfaces NATed to that WAN interface's IP. You can change this behavior by enabling Advanced Outbound NAT (AON) but this is usually unnecessary and adds unneeded complexity.
    For OpenVPN if you want the OpenVPN subnet NAT'ed to WAN, you will have to use AON.

  • yes, i did.

    i modify this
    [click to toggle enabled/disabled status]  *  LAN net  *  *  *  *      Default LAN -> any

    to disable, so all traffic being blocked at the end.
    and i'm using the white list for user access, so i'm having less difficult to giving them policy.

    ya, when i see the log…most of them are blocked by default
    it said : @146 block drop in log quick all label "Default block all just to be sure."

    what should i do???

  • Read this sticky:,7001.0.html


    Rules are processed from top to down.
    If a rule catches the rest of the rules is no longer considered.
    Per default a "block all" rule is always in place (invisible below your own rules).

    Since the default rule blocks your access attempts you obviously didnt create the right rules to allow your users out.
    –> Create firewall-rules that allow your 3 subnets.

  • O MY GOD !!!!  :o :o :o :o :o :o :o
    i really read that line, but i couldnt understand what its meaning.
    now, my eyes are opened.

    "so, by default there is INVISIBLE RULE that block all traffic.
    and i just need to make rules that PASS what user can access the internet"

    is my sentence right?

    i'll try this right away.

    1. Turning PASS for Default rule
    2. Turning to Automatic Outbond NAT, not Advanced

    i'll submit the result right away…

  • ok, the rules are right now.



    accessing from network didnt work.

    it only could browse the front page only. When clicking the link inside the page, it become "Page could be displayed..."

  • Can you ping the LAN IP of the pfSense?
    Can you ping the WAN IP of the pfSense?
    Are you able to resolve DNS names? (What is your DNS entry on the client?)

  • ping from network to REPLY
    ping from network to pfSense WAN RTO

    my internal DNS is

  • THANKS for still here with me…
    i'm very grateful for this forum...
    expecially for GruensFroeschli, i always waiting for your reply in my days...hope there will be a bright sight about this...i know i will get through it...

    still can't get it right ... hiks  :'(

    maybe my firewall rules aren't right?

    here i attaching my screenshoot...

    the LAN default, i put it down to the bottom...
    the rules for pass the access to the client i put it on the very top.
    and for blocking the network, i put it at the top of the LAN default.

    is there any problems with the WAN rules?
    so i can post it to...

    or maybe you wanna see the .xml ?

  • while waiting for your reply, i'm traceroute the traffic from network.

    the result :
    Microsoft Windows XP [Version 5.1.2600]
    (C) Copyright 1985-2001 Microsoft Corp.

    C:\Documents and Settings\a>tracert

    Tracing route to over a maximum of 30 hops

    1    3 ms    2 ms    2 ms
      2  563 ms  495 ms  496 ms
      3  499 ms  497 ms  497 ms

    Trace complete.

    seems the traceroute have no problem accessing (LAN pfsense).

    but when traceroute the website

    C:\Documents and Settings\adhyastu.rahmantyo>tracert

    Tracing route to []
    over a maximum of 30 hops:

    1    4 ms    2 ms    2 ms
      2  496 ms  496 ms  507 ms
      3    *        *    ^C
    C:\Documents and Settings\a>

    it stops there…

  • Your rule only allows TCP. A ping (aka traceroute) is ICMP.
    Change the protocol to "any"

  • i've change the protocol to ANY.

    But still no result to the goodness…


    any other ways to figure it out?


  • hello there?

    the problem isn't solved yet…
    i'm desperated :(
    :-[ :'( :'(

  • Then Commercial support might be what you need.

  • hiks…

    maybe i'll migrate to Mikrotik again, since in Mikrotik there was no problem like this.

    thanks anyway.

  • i found the solution.

    i contact the VSAT technicians. So, we try up the topologi.

    MTU is the PROBLEM !!!

    so, we have to give the same MTU at the cisco router and so the pfsense, so they can communicate.

    Previous setting, MTU at pfsense 1500, and the cisco router 512.
    So, i set the MTU at pfsense 576, and the cisco router 576.

    The technicians said, it strange. Because in cisco router, it's already been set up that the cisco router will negotiate the MTU if its below it or above it. But when trying communicate with pfsense, the policy seems not working.

    But, well…it's already been solved now. It's not the NAT problem, policy problem, or anything else.
    It's the MTU setting.

    Thanks for all.

    If anyone can give me how we can negotiate the MTU and communicate with cisco smoothly, please don't hesitate.

Log in to reply