Using a PFsense behind another PFsense

sagaroth · Jan 25, 2018, 11:31 AM

Hello everyone!

Here, I'm stuck on a configuration that I would like to set up on my network.
Currently, I have a PFsense in front of my network with a WAN interface and a LAN interface.
My goal is to have a second one set up for HA. The problem is that my second PFsense must be up to date (and I only have a WAN IP). So I would have liked to temporarily put this second PFsense behind my first PFsense by indicating my PFsense 1 as a Gateway on my PFsense 2. I created a LAN interface on this PFsense2 on the same network as the LAN interface of my PFsense 1.

Despite this, the traceroute to a public IP only sends me the first HOP and stops at PFsense 1 without going beyond it.

Have I forgotten something ?

Thank you in advance:)

Translated with www.DeepL.com/Translator

realtec · Jan 25, 2018, 11:37 AM

How have you set this up?

The way I understand it is there is a CARP IP…. for example, 10.10.10.10 - Both boxes communicate over carp on that IP so you second PFSense box will update from you main one.

sagaroth · Jan 25, 2018, 12:03 PM

At first I had set up a configuration via CARP, but the synchronization, so the recovery of WAN parameters from PFsense 1 was not done because PFsense 2 was not up to date.

So that's why I opted for a temporary configuration of this kind:

WAN <-> PFsense1 <-> LAN <-> PFsense2

On my PFsense1, the LAN interface is in 10.10.10.1, on my PFsense2, the LAN interface is in 10.10.10.2.
On my PFsense2, I have configured the gateway as PFsense1.

sagaroth · May 4, 2022, 7:35 PM

Resolved, I've add a Outbound Rule on my 1st PFsense to allow my 2nd PFsense to go to WAN through is LAN interface :)

apame · May 4, 2022, 7:35 PM

@sagaroth said in Using a PFsense behind another PFsense:

Resolved, I've add a Outbound Rule on my 1st PFsense to allow my 2nd PFsense to go to WAN through is LAN interface :)

Hello sagaroth,

I'm going through a similar situation (one pfSense behind another pfSense) but i failed to create this Outbound Rule
So can you tell us how to do it?

Thank you in advance :)

stephenw10 · May 5, 2022, 7:26 AM

The default outbound NAT rules will work fine in that situation if you are double NATing.

You only need to be sure there are no subnet conflicts. At least one box must use a different LAN subnet.

Steve

apame · May 5, 2022, 7:26 AM

@stephenw10
Thank you for your response,
I have the following IP configuration :
WAN <---> (10.10.1.1/24) pfSense1 (172.16.1.1/24) <---> LAN1 <---> (172.16.1.2/24) pfSense2 (172.30.1.1/24) <---> LAN2

so there is no subnet conflicts,

How to figure out the problem ?

stephenw10 · May 5, 2022, 1:08 PM

Yes, if both those pfSense instances are running an otherwise default config that will work fine.

So if it's not it's because of something you have changed.

Firewall rules? Outbound NAT rules? WANs still using DHCP?

Steve