RESOLVED: Set Up for One WAN and Two LAN Interfaces



  • I'm using pfSense 1.2.3 installed as VM in VirtualBox. I have used this VM with a single LAN interface successfully to "hide" test systems from the rest of my network. Now I need to simulate multiple sites, so I'd like to have two LAN subnets that can communicate with each other and the internet. Based on various posts there doesn't seem to anything unusual about the set up but I can't get it to work.

    Configuration:
    WAN: Uses DHCP to get configuration.
    LAN: 192.168.23.1/24. DHCP enabled for .100 - .200
    OPT1: 192.168.2.1/24. DHCP enabled for .100 - .200
    Firewall: Added a rule for OPT1 to match the LAN default rule (anything else is blank or left at the default):

    • Action: Pass
    • Interface: OPT1
    • Protocol: any
    • Source: LAN subnet
    • Destination: any

    My reading is that with NAT set to "Automatic Outbound NAT rule generation", then a NAT rule would be created for OPT1.

    What doesn't work: Hosts in OPT1 can't access WAN or LAN anything except other hosts on their subnet. Can't even ping the OPT1 interface.

    What works:

    • LAN continues to work and can ping everything including the OPT1 interface and hosts in that subnet.
    • pfSense can ping everything including hosts in OPT1
    • Hosts in OPT1 subnet are allocated IP through DHCP and the all the settings look OK including gateway and DNS.
    • Hosts in OPT1 can access other hosts in the subnet.

    Does anyone have suggestions as to what I can look at to resolve this?



  • Id think the first thing you need to get is the ability to ping the opt1 interface from clients on that network…

    I just looked at my office network where I have 1 WAN and 2 LANs...  I have manual outbound selected...



  • Thanks for the suggestion. I switched to Manual NAT and replicated the Auto Generated rule for LAN as follows:

    • Interface: WAN
    • Type: Network
    • Address: 192.168.2.0/24
    • Destination: any
    • Translation address: Interface address

    Unfortunately no change. Hosts on the LAN can ping hosts on OPT1, but hosts on OPT1 still cannot ping their pfSense interface or anything else other than each other.



  • Switching to manual NAT was the first step.

    By default, when you add an interface, unlike LAN, all traffic is blocked on that interface. If you want to use pfSense simply as a router that also does some NATting on the WAN interface, just add the following firewall rules for OPT1:

    Rule #1:
      Action: Pass
      Protocol: ICMP (type=Echo)
      Source: *
      Destination: OPT1 address
      Description: Allow ping firewall OPT1 interface

    Rule #2:
      Action: Pass
      Protocol: *
      Source: *
      Destination: *
      Description: Allow clients on OPT1 to access clients on LAN and WAN

    Then, if you want to filter some traffic, just add some "block" rules between those two.



  • Thanks for your response. Since everything else was already done I added the ICMP rule but it made no difference.

    Systems on the OPT1 subnet just don't seem to be able to get out, even though they are visible from the LAN subnet and receive a DHCP lease from the OPT1 interface. OPT1 is working it just won't let "unsolicited" traffic out.

    I'm sure there is something fundamental I am not doing that allows OPT1 to act as a LAN style interface. I have also tried 2.0RC3 and I get exactly the same results.

    Just in case it was some issue with the hosts on that subnet I moved them to the LAN subnet and everything works.



  • Can you reply with a screenshot of the following for OPT1:

    • Firewall rules
    • Interface configuration

    I am using a configuration very similar to what you are trying to do and it works like a charm.



  • I knew it had to be something trivial somewhere! When adding the firewall rule I too religiously copied the rule for the LAN interface down to selecting "LAN subnet" for the Source Type. If I'd looked further down the drop down list I would have seen "OPT1 subnet" and selected that. All working as expected now.

    BTW, I found that Automatic NAT also does the job so there is no need to set NAT to Manual.

    Thanks for the responses. While the actual problem wasn't identified, following the suggestions gave me enough to track down the actual problem.


Log in to reply