How to configure? (Fritz.Box - Proxmox - Pfsense)



  • Dear Community,

    first let me excuse myself; i`m new to the world of networking and want to use this situation to get into it and start leaning. so if you spot obvious mistakes or missing information, please let me know.

    Infrastruktur + Lab Environment 1.23 - Kopie.png

    This pictures should help to get an overview of the network. All information is correct besides the Zentyal and Windows 7 VM (the *.3.0 network can be ignored).

    What do i want to accomplish?
    I want a second network (192.168.30.0/24) besides the existing 192.168.1.0/24.
    So far its working. Both networks got DHCP active. Since they are different networks it should be okay.
    The problem is that the two networks won`t reach/communicate (to) each other. Internet isnt working on the lab-network either.

    pfSense WAN LAN.PNG
    I thought by setting up WAN & LAN it should be enough to connect the two networks.
    Pfsense got two IP's. One for WAN 192.168.1.5 (in network1) and one for LAN 192.168.30.1 (in network2). The WAN connection also shows up in my Fritz.Box.
    fritz.box network pfsense showing as online.PNG
    Pinging 192.168.1.5 failed. Pinging 192.168.30.1 surprisingly works but reaching the webinterface doesnt work. Note that i`m pinging from network1.

    I tried to configure a static route but it doesnt seem to fix the issue.
    Fritz.Box Static route to pfSense.PNG

    I`m also confused that i cant set up a second gateway in proxmox. I thought that each network would got its own gateway but the network2 gateway links to the network1 gateway.

    Here is the remaining configuration.
    PVE Node Network Settings.PNG
    PVE pfSenseVM.PNG

    Thanks You and all the best!

    @edit: I just updated the network overview. now all information is correct just that zentyal isnt running. thats seems to be a whole other case.
    Infrastruktur + Lab Environment 1.24.png


  • Netgate Administrator

    Can the pfSense VM reach the internet? Try to ping out from the console for example.

    You appear to have both subnets, 1.0/24 and 30.0/24, connected to the same unmanaged switch. How are they separated?

    Adding a static route the the Fritzbox for 192.168.30.0/24 via 192.168.1.5 will result in asymmetric routing. Ping would likely still work though.
    https://docs.netgate.com/pfsense/en/latest/firewall/troubleshooting-blocked-log-entries-due-to-asymmetric-routing.html

    What firewall rules do you have on the pfSense WAN? It will block pings by default.

    Steve



  • Hey Steve, thanks for the reply.

    I cant reach (ping) the internet from the pfsense VM.

    The firewall settings are the default. I didnt change anything there. Here´s a screenshot:
    WAN Firewall.PNG

    Regarding the switch and subnets and how they are separate, i dont really know what you are reffering to. You proberbly mean something like VLAN right? I dont know much about it and didnt set up VLANs. I read that it wont be a big problem to use two subnets on one switch.

    For testing reasons i just tried to set up two VLAN. I dont know if the configureation is fine or if its missing something. I used the following documentation (https://kb.netgear.com/31026/How-to-configure-a-VLAN-on-a-NETGEAR-managed-switch) and it now looks like this
    netgear switch vlan.PNG
    netgear switch vlan1.PNG
    netgear switch vlan2.PNG

    WAN is connected to p12 and LAN is connected to p13.

    Regarding the documentation You linked, i cant follow it. It seems that i lack to knowledge to understand what the article is about. I cant even notice the connections between the sections... sorry.

    Here`s one more screenshot of the Gateways, maybe that helps.

    pfsense gateway.PNG

    Thanks



  • The default gateway on pfSense has to be the FB address (192.168.1.1)! You've set it to the pfSense WAN IP.

    Whether you have to use VLANs here depends on how you want to set up your network. You can set it up with NAT or with routes.
    The simpler way will be to do NAT, which is also the default config on pfSense. That means pfSense translates the source addresses in upstream packets to its WAN IP (192.168.1.5) when they are going out the WAN interface. So there is no route necessary on the FB for the 192.168.30.0/24 subnet, the FB has only to send responses the the pfSense WAN IP.
    If you want reach devices in this subnet from the internet you must forward the traffic to the pfSense WAN address.



  • Thanks viragomann, I changed it and it now looks like this
    pfsense gateway 2.0.PNG

    Do I understand it correctly that the default Gateway is for using Internet and talking to the "main" router and since the internet is coming from the main router one has to use this gateway?
    Another Gateway would be the 30.1 for the internal LAN connections in the Lab-Network?

    And the static route i can just delete in the FB?
    The gateway in the FB static route 192.168.1.5 was false anyway, wasnt it?

    I changed it and for a short time I could access the 1.0 network via browser from the 30.0 network. Now after a reboot it wont let me access it again.
    From the 1.0 network i cant reach/access the 30.0 network like for opening the pfsense webinterface located at 30.1.

    I dont get it... I tried to enducate myself but its hard to know in which environment need to change something.

    So i dont need to create a static route in pfsense because pfsense uses the WAN connection for upstreaming packages and the FB wont need a static route too? How does the FB knows that requests for the 30.0 network should be send to 1.5?


  • Netgate Administrator

    Hmm, OK there are a number of issues here....

    With those firewall rules no traffic is passing into the pfSense WAN interface. Thus it doesn't respond to pings.

    The fact you can ping anything on the 192.168.30.0 subnet shows that traffic is going past the firewall entirely. Those subnets exist on the same network segment. You don't want that if you are hoping to filter traffic with the firewall.

    Add a firewall rule on WAN to just pass all traffic for now. Remove 'block private networks' from Interfaces > WAN.

    Remove connections from the 192.168.30.X subnet to that switch that is in front of pfSense.

    Set the fritzbox gateway as the default.

    Steve



  • @inHell said in How to configure? (Fritz.Box - Proxmox - Pfsense):

    Do I understand it correctly that the default Gateway is for using Internet and talking to the "main"

    Almost.
    pfSense sends any traffic which has a destination address outside of the subnets defined on its own interfaces to the default gateway. So yes, packets to the internet are sent to the default gateway, however, packets to any other subnet which are not known by pfSense as well.

    @inHell said in How to configure? (Fritz.Box - Proxmox - Pfsense):

    Another Gateway would be the 30.1 for the internal LAN connections in the Lab-Network?

    You must not set a gateway on the LAN interface. You have to remove this again.

    Additionally you have to set the "FritzBoxGateway" as default to get upstream traffic work.

    @inHell said in How to configure? (Fritz.Box - Proxmox - Pfsense):

    And the static route i can just delete in the FB?

    As stated above, you have to decide if you want to set up a routing a NAT network environment.
    If you prefer routing you have to add NAT rules for incoming traffic for the 30.0 subnet on the FB directly by using the device IP addresses out of 30.0. In this environment you will still need that route on the FB and you should turn off NAT on the pfSense.
    If you use NAT you don't need that route, you have to forward any traffic for the 30.0 subnet to pfSense and on pfSense you have to add further NAT rules to forward the traffic to the destination devices.
    However, all that is not necessary to get internet access to work.


Log in to reply