Installing pfsense under another pfsense for testing (resolved)

carobell

~~I am trying to make a testing environnement including pfsense of our production network.

Right now we have PFSENSE01 in production that is working fine. I made a vlan for the testing network and added TEST-PFSENSE. Both can communicate with the other without problem but the TESTPFSENSE does not have access to internet.

The point is to have TESTPFSENSE be almost completely seperate from the production so that I can test new configs but I need internet for that.

RIght now I have a client that can access both PFSENSE01 and TESTPFSENSE but still no internet. Any help would be greatly appreciated.

Here's a small image of what I'm trying to do, if it helps : https://imgur.com/XoquCtW~~

EDIT: Adding a very small summary of what is the problem, explaining too much without enough information seems to make people confused….

TL;DR : New pfsense instance (only default config) does not connect to the internet. WAN gets dhcp address from Router but does not communicate with the internet.

(((internet)))
                  I
                  I
            [routeur] (192.16.0.0/23 255.255.254.0)
          I              I
          I              I
  [pfsense]–--[user] (192.16.1.0/24 255.255.255.0)

The client, when using the router as gateway can access internet. When it uses pfsense as gateway it can still communicate with router but not with internet.

johnpoz

so you have pfsense01 and 02 in carp?

Your pfsense you have off a vlan would just be like any other client.. What rules did you put on the vlan?  Its an actual vlan?  Or pfsense is connected to a phy interface or switch.. Does testpfsense get a wan IP?

This would work out of the box just like bring up a client on a vlan, unless your overlapping networks between the testpfsense wan and its lan?

carobell

PFSEnse 01 and 02 are in sync, I sadly have not made that configuration so I do not know it they are in CARP.

It is an actual vlan and the only rule I added was to pass everything from that vlan. Both pfsense are connected to a switch on different vlans of that switch. testpfsense needs a wan IP since, ultimely it will be a copy of pfsense01 (with some changes)

Out of the box with default config I cannot communicate with internet. The client that I use can only do so if it is under pfsense01, the moment it receives an address from test-pfsense, it cannot connect to the internet. So I suppose it is a rule that is missing, but none of the ones that are supposed to do it, does it.

All networks do not overlap. The only overlapping that will happen is when I import the pfsense01 config to test-pfsense, but at that point I would change all the addresses to different subnets so they still do what they are supposed to do.

I've tried remaking the second pfsense to see if I made a mistake in my configurations. Here's what I did :

On the switch that connects the servers to the pfsense machine I made a VLAN for the test servers.
In the switch they are trunked and communication is possible between my original vlan and the testing vlan.
On pfsense01 (original) I added the vlan and it uses static ip addresses. A rule was also added to the firewall to let anything pass. I can access pfsense01 from the new vlan address from the servers.
I made a new pfsense (test-pfsense) that is connected to the test vlan. It has a WAN and a LAN.
Created a client computer that is also inside the test vlan and configured it to connect with DCHP.
I am now able to connect to the GUI of test-pfsense but not to anything else anymore.
To test that the client wasn't in cause of the original problem, I changed the ip config to use the pfsense01 test vlan addressing and from there it connects to internet and pings my production network.
I go back to dhcp, connect to test-pfsense and go throught the setup wizard.
Changed the LAN ip address to what I want it to be and still nothing.

Here's an update of the schéma I made. Took out stuff that seems to make people confused and added the switch that also seems to confuse everyone…. : https://imgur.com/a/M9dzI

johnpoz

I sure wish people would just attach to the post, I can not currently get to imgur since the proxy I can access that from work is down currently (its in FL) ;)  The other proxy doesn't allow access to imgur..

Maybe I can see something in your drawing?  But here is the thing I bring up downstream pfsense all the time in my VM setup.. Pfsense out of the box would NAT, if your not natting then yeah your going to have a problem unless your upstream router allows the downstream network and nats it, etc.  This vlan between your upstream pfsense and the test downstream one would be come a transit.

Out of the box pfsense would nat, and providing internet to clients behind pfsense would be no different than connecting a client.. to this network.  If pfsense can not get internet access then no nothing would work even if natting.  Simple enough to test from the diag menu if pfsense can ping an internet IP or do dns, etc.

carobell

I didn't even notice we could attach images…. There you go :)

NAT is used, but I made sure anything going between the two would pass, or at least there is nothing blocking the way...

EDIT: It resolved itself. I do not know if the version of pfsense I was using was not recent enough or if I made a typo somewhere but after the last re-installation with a new cd of pfsense it worked.