Requiring Firewall Help to Communicate between Different Networks



  • Hi guys, I'm completely new to pfSense, but wanted to try and create a networking environment using Cisco Routers and pfSense.

    To give a background I have two sites:

    • Head Office (192.168.100.0 Network)
    • Sample Site (192.168.1.0 Network)
    • WAN Connection Between Both (10.0.0.0 Network)

    The problem that I'm encountering is that I can't communicate between them because pfSense is stopping the traffic as it should be.

    I want the simplest rule to allow all traffic between the two networks. I know the networking works, because if I disable pfSense's firewall and turn it into a routing platform, traffic flows.

    Here's my network topology:
    Network Topology

    Remember that I'm completely new to pfSense and networking in general so go easy on me haha!

    Thanks.


  • LAYER 8 Rebel Alliance

    With RFC1918 on WAN you need to disable Block private networks for both of your WAN Interfaces.

    -Rico



  • For the pfSense machine on the left hand side network, the setting 'Block Private Networks' is un-ticked and still doesn't work unfortunately.

    The otherside is a Cisco router and just routes traffic so it's definitely just something todo with the one instance of pfSense.


  • LAYER 8 Global Moderator

    And what rules do you have on the WAN? You do understand out of the box pfsense would nat traffic as well to your wan.

    What is this UDP tunnel you speak of - you setup a vpn? Site2Site?



  • Edit: Thanks for your reply and ignore my newbie'ness haha!

    The UDP tunnel is nothing to worry about. It's just a simple tunnel to connect two physical machines in GNS3 using a cloud node.

    I don't have any rules on the WAN interface. As I don't have a clue what to insert as I'm fairly new to networking. The LAN has the auto-created rules and I can ping the 'Head Office' router (10.0.0.2) but not any further (192.168.1.0)
    alt text

    I currently have everything connected in GNS3 as shown below:
    alt text

    I'm currently pinging between the 'Container Server - Sample Site' and the 'Debian Server - Head Office'

    The logs are showing in the firewall so that's reassured me, it's me haha:
    alt text

    Edit: I forgot to mention that even when I add the 'Easy Rule'. It still doesn't work for both instances.


  • LAYER 8 Global Moderator

    Well you would have to allow what you want on your wan, if you want to get to something behind pfsense - then you have to allow it!!

    So create the rule on your wan.

    Also in such a setup your not going to want to do nat..

    Can you ping 192.168.1.254?



  • @johnpoz Nope I can't ping 192.168.1.254 from the (192.168.100.0 Network). I can only ping (10.0.0.2).

    I'll try adding in the WAN rules. These will be hilarious to you haha.
    I add this rule which should allow traffic on the WAN with the source (192.168.1.0 Network) to communicate with pfSense LAN (192.168.100.0 Network), but nothing.

    alt text

    EDIT: I went into the NAT Settings and disabled OutBound NAT like you said and it worked. I could communicate from the pfSense LAN (192.168.100.0) to the other network (192.168.1.0)

    I'm going to try the other way around to see if I can ping from the other network (192.168.1.0) to the pfSense LAN (192.168.100.0). I will report back.



  • @johnpoz I want to create a separate post for more information.

    After deleting the rule and seeing the LAN ping out I realised that my rule did nothing and it was the button to disable the outbound NAT which allowed the connection from pfSense to the other network.

    So my main problem now is to allow traffic inside pfSense's LAN (192.168.100.0) from the other network (192.168.1.0)



  • @johnpoz I tried adding an easy rule to allow the traffic from (192.168.1.0) to (192.168.100.0) but nothing. I even tried adding a 'WAN' - 'Any', 'Any' rule but still nothing unfortunately.

    alt text


  • LAYER 8 Rebel Alliance

    What is your default Gateway?
    You need to tell pfSense how to reach this 192.168.1.0/24 network. This can be done with a static route or default Gateway set to 10.0.0.2

    -Rico



  • @Rico Thanks for your help man. I had my pfSense WAN Gateway set as '10.0.0.1' and not the '10.0.0.2' router for the other site. It worked without the route but I added it for good measure.

    So when adding a route previously it was referring to itself haha. Changed the WAN Gateway to '10.0.0.2' and added an any, any rule. Traffic started to flow.

    I can't thank you all for your help regarding the situation. Especially yourself @Rico and @johnpoz! 😄


  • LAYER 8 Rebel Alliance

    Glad you have it working now. ☺

    -Rico


Log in to reply