Routing out to Internet through pfSense HW
Coops last edited by
I have inherited a client and had to get a leased line and new switching infrastructure in place and mimic the old config.
There are 3 VLANs on the switches. A Server VLAN(1) 192.168.0.0/24 A PC VLAN(3) 192.168.3.0/24 and a point to point/trunk VLAN(2) 192.168.254.0/24 that connects the L3 switches to the pfSense hardware Firewall.
Routing is working across the VLANs as it should but I cannot get out to the internet via the switches which have the firewall 192.168.254.254 as the next hop. There are 2 x DNS servers on the internal domain 192.168.0.1/2 that dish out DHCP and the switches set the network route out.
I am very new to the pfSense range and have gone this way on recommends but am hitting a brick wall at the moment.
If I connect direct into the pfSense I can get out to the internet fine, I have setup OpenVPN and when I connect I can get to all of the internal VLANs so routings are working that way. I'm not sure if there is something DNS-resolver-wise or outbound-rule-wise that I have missed.
The default LAN rules pass traffic from LAN net. This is the subnet of the LAN interface.
You need to:
- Pass traffic into LAN by adding pass rules passing the downstream source networks.
- Check Firewall > NAT, Outbound to be sure Automatic NAT picked up the downstream routed networks as source networks to NAT. If not, set hybrid mode and duplicate the two NAT rules for LAN to encompass the downstream networks on the switch.
You might also consider creating another interface for the transit network to the switch so LAN is available for LAN hosts. Placing hosts on that LAN network with the two routers generally leads to nothing but asymmetric routing pain. The only interfaces on the transit network should be routers that know how to route everywhere (two routers can generally use static routes, three generally benefit from a routing protocol like OSPF as network routing complexity increases).
Coops last edited by
Thanks very much, the automatic rules did seem to populate.
I'm going to site later to look further into enabling physical connection to the infratructure.
Using LAN is OK as long as you understand that you almost certainly shouldn't put anything but other routers with full infrastructure routing knowledge on LAN.