<![CDATA[Pfsense Multiple Layers]]>Hi all.

I have been using pfsense for a number of years successfully and have now come up against a problem that I cant seem to find the answer to.

I have 2 pfSense routers both of which are in a Xen Virtual Server

The first has our external facing IP and is used to connect the multiple buildings across the site. It has an address range of 172.16.0.1 /24 which buildings connect to.

The second router is for the main office and is connected via a virtual network within the Xen Server. It has a WAN address of 172.16.0.9 and LAN in the range of 192.168.9.1 /24

I can access the internet on all the devices on the 192.168.9 network however I cant access the 172.16.0.1 router from this network to manage it.

Can anyone please help? Thanks in advance!

]]>https://forum.netgate.com/topic/140630/pfsense-multiple-layersRSS for NodeTue, 10 Mar 2026 21:30:20 GMTFri, 15 Feb 2019 14:46:38 GMT60<![CDATA[Reply to Pfsense Multiple Layers on Fri, 15 Feb 2019 15:53:18 GMT]]>That should not apply in this situation as 172.16.0.1 is the internal IP of the outer firewall so, presumably, does not have a gateway and hence also wouldn't have those rules.
It doesn't apply to the inner firewall as that is outbound traffic from a device on the 192.168.9.X subnet which is always allowed.

I assume you are NATing the outbound traffic in the inner firewall, the default configuration?

I would run a packet capture first on the WAN interface of the inner firewall. Filter by host IP 172.16.0.1 and try to access the outer firewall from a client on the 192.168.9.X subnet.

If you see traffic there try the same thing on the outer firewall LAN interface.

Either the outer firewall is blocking that traffic deliberately or it has some touting problem that means it cannot reply. For example perhaps that traffic is not being NAT'd for some reason so it has no route back to 192.168.9.X. The packet cap should show what's happening.

Steve

]]>https://forum.netgate.com/post/824224https://forum.netgate.com/post/824224Fri, 15 Feb 2019 15:53:18 GMT<![CDATA[Reply to Pfsense Multiple Layers on Fri, 15 Feb 2019 14:50:12 GMT]]>For management access at WAN with RFC1918 address you first need to uncheck
Interfaces -> WAN
Block private networks and loopback addresses
and setup your Rules for the management ports under Firewall -> Rules -> WAN

-Rico

]]>https://forum.netgate.com/post/824217https://forum.netgate.com/post/824217Fri, 15 Feb 2019 14:50:12 GMT