TCP:S duel Pfsense



  • I have a PFsense at location 1 and 1 at location 2. Both are connected by a layer 2 line running 1.2.3. What I am trying to do is have pfsense 2 act as a gateway for users on pfsense 1.

    PF1 –- LAN --192.168.1.X-- Users
          --- OPT2 Bridge LAN --192.168.1.9-- PF2 --- WAN

    So under pf1 I have set OP2 to have a default gatway of 192.168.1.9 and under OPT2 interface Allow all any traffic. Then to test on an outbound firewall rule I have put to use gateway 192.168.1.9. Only issue is I keep getting under PF1 TCP:S default rule block. PF2 has no issues it routes the traffic with no issues and I have a outbound NAT rule to allow that subnet to the WAN.
    WAN  192.168.1.0/24 * * * * * NO

    Have I done this wrong or is it that I have missed something. Any help would be great thanks.



  • Can you clarify this?



  • What part would you like clarified.



  • Hi Jon,

    If I understand correctly you have users at PF1 that are on the LAN side and you want to connect Layer2 opt to the WAN side of PF1?  One issue I can see is you may want to give the opt link a different subnet than PF1 LAN so the NAT routing and firewall will be doing it's thing.

    I think you mean like this?….

    users 192.168.0.xxx -> LAN PF1 WAN -> OPT 192.168.1.9 gw -> 192.168.1.xxx users -> LAN PF2 WAN

    Will PF2 be default gw on 192.168.1.xxx?

    I think PF1 WAN interface would have it's own 192.168.1.xxx IP and use .9 as a default gw.

    One issue I see is packets NAT'd from PF1 will be going onto the 1.xxx subnet and if the 1.xxx default gw isn't the 192.168.1.9 -  I'm not sure they'd find a way back to PF1 (static route maybe?)

    10 rem Warren
    20 goto 10



  • @Jonb:

    What part would you like clarified.

    the diagram is confusing.  it is not clear to me what is going where…



  • Ohh ok let me try and make it simpler

    users (192.168.1.X) – LAN -- PF1 -- OPT2 (Bridge to LAN) --- OPT1 (192.168.1.9) -- PF2 -- WAN

    So I want the users on pf1 to access the internet through pf2 but still have the gatway on their machines programmed with pf1.



  • You need a pass rule on pf1 LAN to allow hosts to reach OPT2/ their gateway, no?


Log in to reply