Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    VM pfSense behind a Hardware pfSense port forwarding not working

    Scheduled Pinned Locked Moved Virtualization
    7 Posts 3 Posters 848 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      wasim.ahmed
      last edited by

      Hello,

      I have a physical pfsense which is acting as the perimeter firewall. I also have a VM environment with multiple VLANs and need to isolate each subnet. So I put a VM pfsense after the physical pfsense. Currently, the IPs are set as follows:

      Physical pfSense (#1 pfsense)
      WAN: Public IP
      LAN 10.0.0.1/24

      VM Pfsense (#2 pfsense)
      WAN: 10.0.0.10/24
      LAN: 172.16.0.1/24
      OPT1: 172.16.10.0/24
      OPT2: 172.16.20.0/24
      OPT2: 172.16.30.0/24

      I have some port forwarding on physical pfsense as follows:

      Internet > #1 pfsense Port 9001-9003 > #2 pfsense Port 9001 > 172.16.10.2
      Internet > #1 pfsense Port 9001-9003 > #2 pfsense Port 9002 > 172.16.20.2
      Internet > #1 pfsense Port 9001-9003 > #2 pfsense Port 9003 > 172.16.30.2

      The issue is no port forwarding is taking place from #1 to #2. Ping from #1 to #2 wan also does not show any result. I made sure that the Block private networks and loopback addresses option is unchecked on #2 pfsense WAN interface. #2 pfsense can ping out to the internet.

      What else needs to be done to make #2 talk to #1?

      1 Reply Last reply Reply Quote 0
      • KOMK
        KOM
        last edited by

        Do you have your WAN set to block private networks, which is usually the default setting?  That will block all coming from private IP space, such as your pings.

        1 Reply Last reply Reply Quote 0
        • W
          wasim.ahmed
          last edited by

          @KOM:

          Do you have your WAN set to block private networks, which is usually the default setting?  That will block all coming from private IP space, such as your pings.

          No, the block private ip option is uncuecked on #2 pfsense wan interface.

          1 Reply Last reply Reply Quote 0
          • V
            viragomann
            last edited by

            You have to add routes to the physical firewall for each of your subnets behind pfSense. Have you done?

            1 Reply Last reply Reply Quote 0
            • W
              wasim.ahmed
              last edited by

              @viragomann:

              You have to add routes to the physical firewall for each of your subnets behind pfSense. Have you done?

              You mean route under Outbound on physical pfsense? But I am merely trying to port forward from physical pfsense LAN interface to VM pfsense WAN interface.

              1 Reply Last reply Reply Quote 0
              • KOMK
                KOM
                last edited by

                Have you looked at this?

                https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

                1 Reply Last reply Reply Quote 0
                • V
                  viragomann
                  last edited by

                  Your physical pfSense must know that the 172.16.10.x networks are behind 10.0.0.10, otherwise it will direct traffic to these networks to its default gateway.

                  So you have to add static routes for the 172.16.10.x networks and set 10.0.0.10 as gateway. That can be done in System > Routing.
                  On the Gateways tab add 10.0.0.10 as gateway on the LAN interface. Then go to the static routes tab and add a route for each of your 172.16.10.x networks and select the gateway you've added before. If you don't have other subnets in that range you may also conflate all subnets in 172.16.0.0/19.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.