TCP:S duel Pfsense
-
I have a PFsense at location 1 and 1 at location 2. Both are connected by a layer 2 line running 1.2.3. What I am trying to do is have pfsense 2 act as a gateway for users on pfsense 1.
PF1 –- LAN --192.168.1.X-- Users
--- OPT2 Bridge LAN --192.168.1.9-- PF2 --- WANSo under pf1 I have set OP2 to have a default gatway of 192.168.1.9 and under OPT2 interface Allow all any traffic. Then to test on an outbound firewall rule I have put to use gateway 192.168.1.9. Only issue is I keep getting under PF1 TCP:S default rule block. PF2 has no issues it routes the traffic with no issues and I have a outbound NAT rule to allow that subnet to the WAN.
WAN 192.168.1.0/24 * * * * * NOHave I done this wrong or is it that I have missed something. Any help would be great thanks.
-
Can you clarify this?
-
What part would you like clarified.
-
Hi Jon,
If I understand correctly you have users at PF1 that are on the LAN side and you want to connect Layer2 opt to the WAN side of PF1? One issue I can see is you may want to give the opt link a different subnet than PF1 LAN so the NAT routing and firewall will be doing it's thing.
I think you mean like this?….
users 192.168.0.xxx -> LAN PF1 WAN -> OPT 192.168.1.9 gw -> 192.168.1.xxx users -> LAN PF2 WAN
Will PF2 be default gw on 192.168.1.xxx?
I think PF1 WAN interface would have it's own 192.168.1.xxx IP and use .9 as a default gw.
One issue I see is packets NAT'd from PF1 will be going onto the 1.xxx subnet and if the 1.xxx default gw isn't the 192.168.1.9 - I'm not sure they'd find a way back to PF1 (static route maybe?)
10 rem Warren
20 goto 10 -
What part would you like clarified.
the diagram is confusing. it is not clear to me what is going where…
-
Ohh ok let me try and make it simpler
users (192.168.1.X) – LAN -- PF1 -- OPT2 (Bridge to LAN) --- OPT1 (192.168.1.9) -- PF2 -- WAN
So I want the users on pf1 to access the internet through pf2 but still have the gatway on their machines programmed with pf1.
-
You need a pass rule on pf1 LAN to allow hosts to reach OPT2/ their gateway, no?