Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Nested Firewalls

    Scheduled Pinned Locked Moved Routing and Multi WAN
    4 Posts 2 Posters 2.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      Takaratiki
      last edited by

      Probably asked before but I can't find the answer. I have two pfsense firewalls, the main one and a secondary firewall behind it serving a test networks. Both offer private addresses on the LAN side, the main has public addresses on the WAN side while the secondary one uses a private address. I can not make the secondary firewall route out to the internet (through the main firewall). The closest I can come to routing to the exterior of the Primary firewall is by setting up static routes, but they proceed no further. Main firewall is performing NAT. Tried numerous permutations of rules, specifications of default gateways, removal of private network rule on secondary WAN, removal of NAT reflection on secondary firewall, removal of NAT on secondary firewall. Nothing pings beyond the exterior of the main firewall. Diagram below, rules on demand. Thanks for any help.

      Secondary                             Main                       
        +–--------------------------+   +----------------------------+
        |192.168.1.1<>10.1.1.242|----|10.1.1.1<>Public Address|----Router----Internet
        +----------------------------+   +----------------------------+         ^
                                                                  Outbound NAT           +----Furthest I can ping with Static Routes enabled.

      1 Reply Last reply Reply Quote 0
      • B
        blak111
        last edited by

        Set your outbound NAT rules on the exterior firewall to manual and add another rule to include the network behind the secondary firewall if you disabled NAT.

        1 Reply Last reply Reply Quote 0
        • T
          Takaratiki
          last edited by

          Lack of clarity on my part, I'm sorry. The secondary pfSense was NAT'd with a manual rule to use the 10.1.1.242 address at first. I played with NAT to try and get something working, failed, turned off NAT on the secondary firewall, converted the client behind it to a 10.1.1.x address, and let it loose in in the 10.1.1.x/24 network. It can talk to the world just fine. The second firewall still can't talk out to the world. At this point, I have essentially simplified down the secondary firewall as far as it can go and it still isn't routing correctly out of the primary firewall through the default gateway, which leaves me to wonder what setting I've missed that's causing it to fail to route through the primary firewall.

          1 Reply Last reply Reply Quote 0
          • B
            blak111
            last edited by

            Not sure then. Maybe check the firewall rules on the LAN interface on the primary firewall.
            Verify the default gateway is set correctly on the secondary firewall and that you have the "Block private networks" option clears.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.