VM pfSense behind a Hardware pfSense port forwarding not working



  • Hello,

    I have a physical pfsense which is acting as the perimeter firewall. I also have a VM environment with multiple VLANs and need to isolate each subnet. So I put a VM pfsense after the physical pfsense. Currently, the IPs are set as follows:

    Physical pfSense (#1 pfsense)
    WAN: Public IP
    LAN 10.0.0.1/24

    VM Pfsense (#2 pfsense)
    WAN: 10.0.0.10/24
    LAN: 172.16.0.1/24
    OPT1: 172.16.10.0/24
    OPT2: 172.16.20.0/24
    OPT2: 172.16.30.0/24

    I have some port forwarding on physical pfsense as follows:

    Internet > #1 pfsense Port 9001-9003 > #2 pfsense Port 9001 > 172.16.10.2
    Internet > #1 pfsense Port 9001-9003 > #2 pfsense Port 9002 > 172.16.20.2
    Internet > #1 pfsense Port 9001-9003 > #2 pfsense Port 9003 > 172.16.30.2

    The issue is no port forwarding is taking place from #1 to #2. Ping from #1 to #2 wan also does not show any result. I made sure that the Block private networks and loopback addresses option is unchecked on #2 pfsense WAN interface. #2 pfsense can ping out to the internet.

    What else needs to be done to make #2 talk to #1?



  • Do you have your WAN set to block private networks, which is usually the default setting?  That will block all coming from private IP space, such as your pings.



  • @KOM:

    Do you have your WAN set to block private networks, which is usually the default setting?  That will block all coming from private IP space, such as your pings.

    No, the block private ip option is uncuecked on #2 pfsense wan interface.



  • You have to add routes to the physical firewall for each of your subnets behind pfSense. Have you done?



  • @viragomann:

    You have to add routes to the physical firewall for each of your subnets behind pfSense. Have you done?

    You mean route under Outbound on physical pfsense? But I am merely trying to port forward from physical pfsense LAN interface to VM pfsense WAN interface.





  • Your physical pfSense must know that the 172.16.10.x networks are behind 10.0.0.10, otherwise it will direct traffic to these networks to its default gateway.

    So you have to add static routes for the 172.16.10.x networks and set 10.0.0.10 as gateway. That can be done in System > Routing.
    On the Gateways tab add 10.0.0.10 as gateway on the LAN interface. Then go to the static routes tab and add a route for each of your 172.16.10.x networks and select the gateway you've added before. If you don't have other subnets in that range you may also conflate all subnets in 172.16.0.0/19.