pfsense configuration problem

randym

We are replacing some ancient Cisco ASAs with pfsense firewall appliances. Our network looks like this:

External Router ---> PFsense WAN Port ---> PFSense LAN Port (192.168.1.2) ---> Internal Switch (192.168.1.1)

Currently I can pass traffic from the lan to wan with no issues. However, there are 8 other VLANs that need to be able to pass traffic to the internet. Since the gateways for all of the VLANS including the 1.x reside on the Internal switch, I don't want to create the VLANs on the pfsense appliance. In order to create static routes for each VLAN, gateways are required. Your documentation indicates that the only gateway that should be created on the pfsense is the WAN GW. This does not work for creating static routes for each of the existing VLANs on the network. Can you please explain to me how to create the static routes for each VLAN and make use of the existing gateways?

NogBadTheBad

Create a Gateway:-

System-> Routing -> Gateways

Then point your statics to it:-

System -> Routing -> Static Routes

Also you'll need a default route on the switch, but I'm sure you know that.

randym

So what you are saying is that I should create a LAN gateway using my LAN IP and point all of my statics to that gateway? Isn't that exactly what the documentation says not to do?

viragomann

@randym
Your set up isn't clear. Since you say the VLAN 1.x (guessing 192.168.1.0/24) resides on the internal switch, I think this means, they are behind the switch. So the 192.168.1.0/24 cannot be between pfSense and the switch at the same time as your IPs suggests.

If you have subnets behind the switch the pfSense-facing interface IP of the switch has to be defined as gateway as @NogBadTheBad suggested.

Additionally you have to switch the outbound NAT into the hybrid mode and add rules for the VLANs behind the switch.

NogBadTheBad

@randym said in pfsense configuration problem:
"Isn't that exactly what the documentation says not to do?" where does it say that ?

The Gateway doesn't appear as a pull down option in statics if you don't.

The link between pfSense and your switch is a transit network correct ?

You could always run a routing protocol like ospf on pfSense and the switch, but that seems kinda overkill.

https://docs.netgate.com/pfsense/en/latest/routing/gateway-settings.html

"A gateway is a system through which pfSense software can reach the Internet or another network, so if multiple WANs are in use, or multiple paths to the Internet via different gateways, the associated gateways must be defined. Gateways must also be defined for networks reachable via Static Routes."

randym

For lack of a better term, yes.

randym

The reason I asked the question, besides the fact that I have been unable to get any configuration to work, is that the documentation clearly states that if you assign a gateway to a LAN interface, PFSense now sees that interface as a WAN interface and you run in to problems. It never made any sense to me, since all networks require a gateway in order to communicate properly. I understand that if you assign an IP to the LAN interface, PFSense automatically assumes that the interface is the gateway, but that may not always be the case. Perhaps the documentation should be updated to reflect using gateways on LAN or VLAN interfaces as an appropriate configuration.

viragomann

I don't know, where you read that, I guess in the interface configuration area.
In Interfaces > LAN you should not state a gateway except you need it as upstream gateway.
However, gateways needed for routing have to be defined in System > Routing > Gateways. After that you can need it for static routes. That's what you should do here.

johnpoz

@randym said in pfsense configuration problem:

It never made any sense to me, since all networks require a gateway in order to communicate properly.

Not sure where you got that idea.. I only need a gateway to talk to some "other" network.. I don't need a gateway to talk to anything on the network connected to..

Lan interface will never need to get off LAN... it is the "gateway" for device the lan. Same goes for any other interface you create on pfsense, be it native or vlan.. Only the interface that has a gateway it can talk to get to other networks should have that set.. Its now considered by pfasense a WAN connection, or atleast a transit network... used to get to other networks..

Once you create a gateway on the inteface - pfsense oh I can use that gateway via this network to get to other networks, ie WAN!!

The documentation is very clear..

randym

@johnpoz
Perhaps that is true in pfsense, but not switches and routers. Default gateways have to be configured in order to get traffic to move correctly. Even in pfsense it has a gateway, it just assumes that the IP on the LAN is the gateway IP, so you don't have to set one. However, if you are using a switch or router in conjuction and just using the PFSense as a firewall, then I seem to run into problems getting things to route properly. I have followed the recommendations made above and still can't get the other subnets to communicate with the WAN. I have rules in place that basically make this thing a router, not blocking anything internally, only on the WAN. Outbound NAT is set to allow all ports on all networks to NAT to the WAN interface.

randym

@viragomann
Turn on the PFSense appliance without a configuration, assign your interfaces and then set the IP. When you are setting the IP for the LAN it will tell you not to set a gateway for a LAN, they are only used for the WAN.

viragomann

@randym said in pfsense configuration problem:

When you are setting the IP for the LAN it will tell you not to set a gateway for a LAN, they are only used for the WAN.

That's absolutely correct. In this configuration section pfSense is asking for upstream gateways. Since you won't have an upstream gateway (default gateway) connected to the LAN interface, you have to set this to 'none'.
That's the same gateway setting as I mentioned above in the GUI: Interfaces > LAN. As well as in any other interface setting and is meant for multi-WAN purposes.

I assume, you have troubles to differ gateway and upstream (default) gateway.
When you define an upstream gateway pfSense sets the default route directing any traffic to it, which is not destined to a network connected to pfSense directly.
However, a simple gateway may be any IP address (any device) within a subnet configured on an interface. I.e. when your LAN network is 192.168.1.0/24 any IP from 192.168.1.1 to 192.168.1.254 can be defined as gateway in System > Routing > Gateways. That does nothing for now. But after you can add a special (static) route for a network that is reachable over this gateway in System > Routing > Static Routes as explained above.

So presumed, your router or switch in front of your VLANs has the IP 192.168.1.3 (within the LAN subnet), so you have to add this IP as gateway here and then set a (or multiple) static route(s) for the VLANs behind the router using this gateway.
But as already mentioned above if one of you VLANs behind the switch owns the subnet 192.168.1.0/24 you must not assign the same subnet to the pfSense LAN interface, otherwise the communication with this VLAN won't work.

johnpoz

@randym said in pfsense configuration problem:

Perhaps that is true in pfsense, but not switches and routers.

Dude not sure what your talking about... I have worked with global networks and DCs for going on 30 some years.. So I know thing or 2 about routers, switches and networks ;) And no a interface does not need a gateway unless its "wan" connection or a transit connection.. And its almost never on the actual interface... Its just a ROUTE to get somewhere..

We have multiple layer 3 switches (routers) in one our DC in hou that I access all the time.. Tell you right now pretty much no interfaces have gateways set on them.. There is a default route, and then other routes, etc.. .They are not gateways on the actual interface, this really only done on the default connection.

Why don't you draw up your network and we can discuss what your doing wrong. I can tell you what is very common mistake around here putting a downstream router on a host network vs a transit network - so asymmetrical routing seems to be a common user error.

randym

@johnpoz
I have been working on them for over 25 years and I know a thing or two about them too. Any time you create a VLAN in a switch you assign an interface and an IP. That IP is always the gateway for that subnet. No matter how you want to look at it all subnets have a gateway and a broadcast IP, that is how they are designed in IPv4. You may not call them that, but that is what they are. Routes have to have, especially in pfsense, a gateway in order for them to work correctly.

KOM

This is starting to smell like a thread that's going south real fast.

randym

@viragomann
So what I am hearing you say is, that I cannot use a subnet that is on the switch. So right now, 192.168.1.1 is VLAN 1 on my switch. If I want the pfsense to work correctly, I need to choose an IP that does not belong to any VLANs on the switch to configure the pfsense. This becomes my transit network as discussed by @johnpoz. Thus the pfsense LAN interface becomes the transit interface for all of the other VLANs to communicate with the WAN interface. Now the question of routing comes into play. Each subnet actually does have a gateway, (upstream gateway), I tend to think of them as the same thing, because their function is the same, it's just that one resides remote to the box communicating. So take the 1.1 subnet. If I want to have this subnet communicate with the internet, I need to create a special static route that points to the LAN interface of the pfsense, is that correct or did I miss something?

randym

@KOM

No, it is just a difference in the usage of terms. John and I have no beef, just a lack of understanding due to a difference in terminology usage.

johnpoz

There is a HUGE difference between setting a gateway on an interface, and the gateway for the network.. .On the router, yes the interface on the router will be the gateway of that network to talk to that router and get to other networks... BUT it is NOT set on the router as a gateway.. It would only be set on the hosts in that network.. Which has zero to do with setting a gateway on an interface on any sort of router or L3 switch doing routing.

Your using the term wrong! ;) And to anyone concerned - I don't have any beefs.. Misuse of terms on his part is the problem ;) heheh

PFSense automatically assumes that the interface is the gateway,

Pfsense doesn't assume anything as a gateway... Just because you set a IP on an interface. That is just an interface IP on the router - psfense sees it as nothing more. Now hosts on that network need to use that as their gateway ;)

randym

@johnpoz

The issue is not in the usage of the term, but in where it is being used. Let's look at the pfsense, for instance. We are talking about the LAN interface and setting the IP for the LAN interface. This is an interface and not a network, yet in this instance it is being used as both. This is what is causing some of the misunderstandings that people are having. If I am understanding what @viragomann is saying correctly, the LAN interface IP can not be an IP that is managed by a remote VLAN on my switch. Thus the LAN interface becomes the transit network for all traffic that needs to reach the WAN interface from the remote switch. Routing for each subnet that needs to reach the WAN needs to be set on the the pfsense. If I understand correctly, that routing needs to take the subnet (example 192.168.1.0/24) and point it to the LAN interface in order for the traffic to traverse the firewall and reach the internet. Is that what you have been trying to say?