[SOLVED] WAN of pfsense box2 from LAN of psense box1?
-
Is this possible?
ISP <-> WAN of pfsense box1 <-> LAN of pfsense box2 <-> LAN clients
Example configuration:
Box1: (no problem in configuring Box1)
WAN: DHCP from ISP
Gateway: dynamic from ISP
LAN IP: 10.10.10.1/24 (static)Box2
WAN: 10.10.10.2 (static)
Gateway: 10.10.10.1 (LAN IP of Box1)
LAN: 192.168.100.1/24 -
Is this possible?
ISP <-> WAN of pfsense box1 <-> LAN of pfsense box2 <-> LAN clients
Is this the configuration you are asking about?
ISP <–-> [WAN pfSense box1 LAN] <–-> [WAN pfSense box2 LAN] <–-> switch <---> LAN clientsYour configuration hints don't make it clear to me which interface on pfSensebox2 the LAN clients connect to nor which interface on pfSense box1 the LAN interface on pfSense box2 connects to.
If the configuration I proposed is what you meant then the answer to your question is yes though optimisations would be suggested. If you need to allow incoming connections from the internet to LAN clients then some "cunning" is required.
-
Sorry for being vague.
The WAN of Box2 gets its internet connection from the LAN of Box1 just like what you proposed.
I tried putting the LAN IP of Box1 as the gateway for the WAN of Box2 same as this:
Sample configuration:
Box1:
WAN: DHCP from ISP
Gateway: dynamic from ISP
LAN IP: 10.10.10.1/24 (static)Box2
WAN: 10.10.10.2 (static)
Gateway: 10.10.10.1 (LAN IP of Box1)
LAN: 192.168.100.1/24I couldn't get an internet connection in Box2. Is there an additional configuration aside from assigning the IP addresses in the interface? Like IPSEC configuration? I think IPSEC is not the answer to my problem since both boxes will communicate through their WAN interfaces.
-
Yes this is possible, I have done this many times with a test pfSense box behind my main box.
Remember to uncheck 'block private networks' in the WAN configuration of your box2 since it is in a private subnet.
I have always used dhcp for the connection between the two boxes but static should work equally well.Steve
-
Thanks for confirming.
Yup, I unchecked the 'block private networks' and even the 'block bogon networks'.
But still I don't have an internet connection for box2 and the LAN clients of Box2.
I can confirm that I have connection in the LAN clients of Box1 using static IPs.Anyway, I will just play with this configuration since this is inside a vm server. cheers
-
But still I don't have an internet connection for box2 and the LAN clients of Box2.
From the console of box2 does a```
ping 10.10.10.1From a LAN client of box2 does a``` ping 10.10.10.1 ```get a response?
-
From the console of box2 does a```
ping 10.10.10.1Yes
From a LAN client of box2 does a```
ping 10.10.10.1Yes
My client IP is 192.168.100.13 from the DHCP of LAN of Box2.But from the console of box1,
ping 10.10.10.2
100% packet loss.
And still no internet connection from the LAN client of Box2 or from Box2 itself.
From a LAN client of box2 does a```
ping google.comFrom the console of box2 does a``` ping google.com ```100% packet loss.
-
But from the console of box1,
ping 10.10.10.2
100% packet loss.
This is hard to explain in the light of the reports of successful pings from the box2 console.
Please report the output from the following commands on the box1 console:```
ping -c 5 10.10.10.2; arp -an; netstat -rn -f inet; ifconfig -a
-
$ ping -c 5 10.10.10.2; arp -an; netstat -rn -f inet; ifconfig -a PING 10.10.10.2 (10.10.10.2): 56 data bytes --- 10.10.10.2 ping statistics --- 5 packets transmitted, 0 packets received, 100.0% packet loss ? (10.10.10.2) at 00:0c:29:f5:5a:bb on le1 expires in 911 seconds [ethernet] ? (10.10.10.3) at 00:50:56:c0:00:04 on le1 expires in 1173 seconds [ethernet] ? (10.10.10.1) at 00:0c:29:93:27:ea on le1 permanent [ethernet] ? (10.10.10.5) at 00:0c:29:de:27:11 on le1 expires in 1002 seconds [ethernet] ? (192.168.20.1) at 00:13:49:98:39:44 on le0 expires in 906 seconds [ethernet] ? (192.168.20.33) at 00:0c:29:93:27:e0 on le0 permanent [ethernet] Routing tables Internet: Destination Gateway Flags Refs Use Netif Expire default 192.168.20.1 UGS 0 211 le0 8.8.8.8 192.168.20.1 UGHS 0 578 le0 10.10.10.0/24 link#2 U 0 1301 le1 10.10.10.1 link#2 UHS 0 0 lo0 127.0.0.1 link#4 UH 0 97 lo0 192.168.20.0/24 link#1 U 0 0 le0 192.168.20.33 link#1 UHS 0 0 lo0 202.84.96.1 00:0c:29:93:27:e0 UHS 0 29 le0 202.84.96.2 00:0c:29:93:27:e0 UHS 0 23 le0 le0: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500 options=8 <vlan_mtu>ether 00:0c:29:93:27:e0 inet6 fe80::20c:29ff:fe93:27e0%le0 prefixlen 64 scopeid 0x1 inet 192.168.20.33 netmask 0xffffff00 broadcast 192.168.20.255 nd6 options=3 <performnud,accept_rtadv>media: Ethernet autoselect status: active le1: flags=8843 <up,broadcast,running,simplex,multicast>metric 0 mtu 1500 options=8 <vlan_mtu>ether 00:0c:29:93:27:ea inet 10.10.10.1 netmask 0xffffff00 broadcast 10.10.10.255 inet6 fe80::20c:29ff:fe93:27ea%le1 prefixlen 64 scopeid 0x2 nd6 options=3 <performnud,accept_rtadv>media: Ethernet autoselect status: active plip0: flags=8810 <pointopoint,simplex,multicast>metric 0 mtu 1500 lo0: flags=8049 <up,loopback,running,multicast>metric 0 mtu 16384 options=3 <rxcsum,txcsum>inet 127.0.0.1 netmask 0xff000000 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 nd6 options=3 <performnud,accept_rtadv>pflog0: flags=100 <promisc>metric 0 mtu 33200 pfsync0: flags=0<> metric 0 mtu 1460 syncpeer: 224.0.0.240 maxupd: 128 enc0: flags=0<> metric 0 mtu 1536</promisc></performnud,accept_rtadv></rxcsum,txcsum></up,loopback,running,multicast></pointopoint,simplex,multicast></performnud,accept_rtadv></vlan_mtu></up,broadcast,running,simplex,multicast></performnud,accept_rtadv></vlan_mtu></up,broadcast,running,simplex,multicast>
I am doing this inside a vm environment.
-
Sorry I didn't think of this earlier. Do you have a firewall rule on WAN in box2 allowing icmp echo? Such a rule is necessary since the default is to block traffic initiated from the WAN side.
-
No rules in WAN of box2.
I thought it allows everything by default.I will put Allow All in WAN of box 2 and check if it works.
My bad, I forgot this one:
Rules are evaluated on a first-match basis (i.e. the action of the first rule to match a packet will be executed). This means that if you use block rules, you'll have to pay attention to the rule order. Everything that isn't explicitly passed is blocked by default. -
My suspicion is correct, DNS server.
When I put the Google's DNS, bam, it works.Thanks alot wallybybob for your guidance.
I will treat you with a beer someday. ;D -
I also do this all the time for testing. I have the DNS Forwarder and DHCP going on box 1 (the real internet connection).
On box 2 WAN I do one of:- DHCP - then it gets an IP address and the DNS forwarder's address (box1 LAN IP) from box1 LAN; or
- specify a box1 LAN IP address for box2 WAN and give it gateway and DNS as box1 LAN IP.
box2 does NAT for clients on box2 LAN, then box1 does NAT again for box2 WAN, which it sees as a normal client on box1 LAN. The double-NAT works fine.
-
The double-NAT works fine.
If I recall correctly some people have reported problems with VoIP and double NAT. I have found that VoIP and double NAT has worked fine for me with recent enough versions of Twinkle and (possibly, I don't recall exactly) Ekiga.
-
I have also read about double NAT being a problem but I've never experienced it myself. Two pfSense boxes both NATing has always worked in testing for me. I also ran a separate router in front of my pfSense box for a WAN connection when 1.2.3 could only use one PPPoE connection directly, no problems.
Something to be aware of though.
Steve
-
Thanks for that info. Although I have no plans of using the double NAT since I don't know what is double NAT or single NAT ???
As long as my system works, no problem.