Need help with NAT and routing



  • I'm having some problems with my pfsense setup, which I think is atributed to NAT but maybe there is something else wrong.

    PF1 - Pfsense, perimeter firewall/nat (Lan=192.168.100.1) [static routes for 192.168.1.0 and 192.168.2.0 pointing to 192.168.100.5]
    PF2 - pfsense, inside router/firewall (WAN=192.168.100.5, LAN1=192.168.1.1, Lan2=192.168.2.1)
    UT - untangle transparent filter bridge for spam/web content etc.. (192.168.100.3)

    ISP – PF1 --UT -- PF2 -- LAN1/LAN2

    OK to start out, this setup works ok from the LAN side, but the problem I have is getting traffic into the LAN from the outside or the middle.
    PF1 is the one that I want to handle NAT of our public IPs. This has worked fine for a very long time without the PF2 and with a single LAN.

    But now I'd like to have two (or more) VLANs on the lan side, that all go through the web filter on their way out. PF2 should be acting as a router but with the ability to prevent traffic from routing to and from certain VLANs.

    I have put an allow ANY ANY on the wan interface and I can ping any IP in the LAN1 from PF1, UT, and a pC in the middle; but I cannot access any of the services running on that LAN.

    I tried following directions in the forums to turn off NAT on PF2 by going to outbound NAT, changing to manual outbound NAT, and then removing the only rule.
    As soon as I do this, I can no longer access anything from the LAN PCs (internet, PF1 lan,etc..)
    And this didn't help do anything with being able to access the LAN from the middle area. (pings seem to work ok both ways though. However I now cannot ping the PF1 WAN IP from the LAN pcs ??)
    I even tried going to advanced and checking the option to disable filtering and make it a router only but this had no effect, and neither did enabling RIP.

    If someone has any insight, I would greatly appreciate it.



  • Just an update to anyone that might try to do this.
    Problem 1 - the reason I couldn't get out past the PF1 was because the default LAN -> Any rule doesn't apply to the other subnets behind PF2. Once I added LAN rules for them, traffic out worked.
    Problem 2 - having Untangle in the middle between the two caused some complications in passing traffic from WAN side to the LAN side and through to PF2. This was easily remedied by adding static routes to the UT just as needed on the PF1 router.


Locked