New to PFsense and I need help with my network setup

dhayes

My network consist of 4 sites. site1 - 192.168.1.0, site2 - 192.168.2.0, site3 - 192.168.3.0, site4 - 192.168.4.0.  The pfsense box is housed at site1 and is bind locally on the LAN side as 192.168.1.1 and WAN side to the internet at 216.x.x.x. All other sites are connected  via MPLS routers and connect at site1 router @ 192.168.1.3 to the pfsense box which provides internet access the whole agency. Myproblem is the pfsense box is not allowing the other site internet access and I know it's a pfsense configuration issue. I've setup rules for each site, static routes  and NAT, but Site2 thru site4 cannot surf the internet. They can get to the local servers housed at site1 and I can ping the other sites gateways. Please help me with any suggestions or pfsense configuration ideas.
Please excused this if it's a basic routing question I'm a neophyte to this routing arena of IT. :)

dotdash

It would help to know what devices are using for a default gateway at the various sites, and how the routing is setup on those devices. Have you tried pinging hosts at the various sites from the pfSense box itself? That might shed some light. I would suggest posting a network diagram to get more useful responses.

dhayes

Here is a quick drawing. I hope this helps. I also want to add that I replaced a linksys router with the pfsense box, thing this will give me better firewall capabilities and better VPN and router flexibility. The Ascend routers were place by our telecommunication vendor as part of our MPLS setup. Yes, I can ping from the pfsense box to all routers.


jahonix

How does 192.168.3.1 connect to 192.168.1.3 subnet wise?

As mentioned before, give your netmasks and the routing entries in the routers.
What's the netmask of 192.168.1.1 for example: 255.255.255.0 ( = /24)  or 255.255.0.0 ( = /16)  or something inbetween???

dhayes

Subnet mask is 255.255.255.0 ( /24) for all sites.

dotdash

Information on the routers configuration is key. If we assume the remote routers have a route of last resort pointing to the central site router, the central router needs to know the Internet is off the pfSense box. I would test ping connectivity from the firewall and the routers and see what that shows.

dhayes

I will contact the vendor who installed the ascend routers and relay the info when I receive it. I would assume the last resort pointing is to the central site because the pfsense box is replacing the Linksys router that was there and functioning with this same setup and network configurator. I tried to mimick the same setup of the linksys with the static routing on the pfsense box.

dhayes

I' ve spoken with my vendor and he confirmed that the remote routers last resort pointing is to 192.168.1.1 which is the pfsense box LAN card. I hope this helps with clarificaion of the configuration.

jahonix

Your pfSense is 192.168.1.1/24
An IP packet arrives on its LAN port from site1 192.168.3.x/24 (some host there). It is out of pfSense's LAN range and you cannot generate rules to let it pass to WAN except you setup multiple subnets on LAN. Which I wouldn't do.
So how do you want to pass packets from somewhere other than 192.168.1.1-192.168.1.255 through your LAN port?

I'm not the routing expert and am unexperienced with MPLS. If someone wants to add knowledge I'd appreciate it!

dotdash

This should be fine if:

1. You have NAT rules for the additional subnets, or just change the mask from /24 to /16 (yeah, you could use a /22)
2. The rules on the LAN are similarly modified to include the other subnets.
3. The static routes are correctly configured on the pfSense box.
   I've said before, DO SOME PING TESTS from various devices- the firewall, the routers, hosts on the various subnets.

jahonix

@dotdash:

This should be fine if:

Yes, if.
dhayes was asked about these infos a couple of times but is holding back.
With the information given I assume it is not working (I think dhayes didn't even mention the term 'NAT', why should I assume it's configured???)

Anyway, thanks for your feedback.

wtsexton

dhayes, per our conversation on the phone I setup a network which is close to yours.

Adding the static routes and allowing the networks under the LAN firewall section was all that was required to get it working.
Included here is a copy of the configuration and diagram of my test network.

Information in the diagram and configuration were altered for security reasons.

runningconfig.txt

dhayes

Thank you wtsexton
This seems to work and all is well. The reconfiguring of the rules did the trick. Dotdash and Jahonix your assistance and responses were appreciated and helped tremendously.