pfSense behind pfSense - Not getting WAN IP from PFS1

MacUsers

@Gblenn yeah, since you mentioned about that, now started thinking if actually that was the case under the hood. Well at least I'll remember to chk that from now on

24.11 supposed to fix that issue, accouding to some posts here.

viragomann

@MacUsers
I experienced several times, that it was necessary to restart pfSense to get the outbound NAT working.

Gblenn

@viragomann said in pfSense behind pfSense - Not getting WAN IP from PFS1:

I experienced several times, that it was necessary to restart pfSense to get the outbound NAT working.

But how is that related to the fact that it worked when setting a static WAN IP on the second pfsense? But not when set to DHCP? And this was resolved by restarting the first pfsense (handing out IPs)
.

MacUsers

@Gblenn there was a catch - it didn't actually work with static IP either. I could ping the PFS1 IP after setting up the IP manually but that's all.

I think, the staic IP would have worked, if I could setup an upstream-gateway, which was prevented by pfSence, saying gateway IP is out of range. But the automartic NAT rules didn't get created in either case - just to clarify

Gblenn

@MacUsers Ah ok, but as soon as it got an IP via DHCP, the NAT rules also got set up correctly I suppose?

stephenw10

Yes, without a gateway on the interface there would be no auto outbound NAT rules. But also with a /32 subnet on WAN it couldn't talk to anything else anyway. Not sure why it couldn't have had the expected subnet there, presumably /24.

MacUsers

@Gblenn said in pfSense behind pfSense - Not getting WAN IP from PFS1:

Ah ok, but as soon as it got an IP via DHCP, the NAT rules also got set up correctly I suppose?

yeah, that was correct

Gertjan

@MacUsers said in pfSense behind pfSense - Not getting WAN IP from PFS1:

hence I created a new VLAN (on LAN interface) on my existing pfSense (PFS1) and hooked up 8200 (PFS2) to that, hoping ....

Wait !!
You can't start hoping at that point. You have to finish you're work first.

When you create a VLAN 'on one side' (your pfSEnse 1) you have to dupicate that same VLAN info on the other side ! - in this case your WAN pfSense 2.
After all : the VLAN ID (number) needs to be set on one side, and recognized on the other side.
The other side is normally a smart switch, on which you use one port as the VLAN coming from pfSEnse which is taggeed as a VLAN with ID "ID", and on the smart switch you use the same ID number, and then you assign several ports to it. Those ports go to the ordinary network devices that are not aware of the VLAN magic.

So, I presume, as I never did this myself, and I can't test it :
On your pfSense 2 : create a VLAN with the same ID based upon your WAN.
Activate on this VLAN (WAN) interface the DHCP client.

edit : and if this doesn't work, then you have to place a smart switch between PS1 and PS2. Split out the VLAN ID from PS1 out on this switch, and connect the assigned port to the pfSense 2 WAN.
That will work for sure.

Gblenn

@Gertjan said in pfSense behind pfSense - Not getting WAN IP from PFS1:

When you create a VLAN 'on one side' (your pfSEnse 1) you have to dupicate that same VLAN info on the other side ! - in this case your WAN pfSense 2.

Why, if all you are after is to hook it up, to set it up.

The reason for the VLAN is, I suppose, so that you don't end up with the same IP on WAN as you have on LAN (on PFS2). Since this machine was supposed to have the exact same setup as PFS1...

MacUsers

@Gertjan said in pfSense behind pfSense - Not getting WAN IP from PFS1:

edit : and if this doesn't work, then you have to place a smart switch between PS1 and PS2. Split out the VLAN ID from PS1 out on this switch, and connect the assigned port to the pfSense 2 WAN.

I have several managed switchs and PFS2 was connected to one of the ports on one of the switches, which was configured with that VLAN-id. When I said I could ping the PFS1 IP address but nothing beyond, I assumed that it will be understood that internal networking was setup okay.

BTW, in the 7th post, I posted the reason for not working in the first place and then it started working as expected after the reboot, then it becomes very obvious that VLAN, tagging, managed switch etc. weren't the issue at all.

The question was why PFS1 couldn't provide an IP to PFS2 in the first place, via DHCP.