LAN to LAN Setup - I think i'm missing something.



  • Network

    192.168.20.0 <–--> PFSense LAN 192.168.20.212/24 |------| 192.168.70.254/24 Pfsense WAN <------> 192.168.70.0

    On the 20 network I have a router also sitting on 192.168.20.254 this has a rule in it telling anything on the 20 network which tries to go to the 70 network should do so via 192.168.20.212

    The 20 Network is our Main lan with 100 servers and users on it
    The 70 Network is about 40 developers with thier own servers etc

    I can ping across from 20 to 70
    I can ping across from 70 to 20

    If i run a traceroute from the 20 lan to a 70 lan IP address i get

    Hop 1 = 192.168.20.254
    Hop 2 = 192.168.20.212
    Hop 3 = 192.168.70.20
    Sucess

    If i run a trace route from the 70 lan onto the 20 lan i get

    Hop 1 = 192.168.70.254
    Hop 2 = 192.168.20.1
    Sucess

    I can connect to a Windows Server on the 70 lan fine from the 20 lan using UNC

    Locally on the 70 Lan All works well Intranet pages open, UNC Windows paths open..
    Howver from the 70 lan i cannot open up an Intranet page, or connect to a server on the 20 lan from the 70 Lan

    I have a single firewall rule in WAN and LAN which both is to PASS ANY FROM ANY TO ANY
    I set the NAT to Manual in the Outbound Tab
    I've got no default routes, not static routes, no gateways setup

    To start with i'd like to be able to connect from the 70 network to the 20 network as well...
    Once i have complete connectivity, then i'll firewall it up..

    Where am I going wrong, i'm losing sleep and hair over this.. It's something stupid, and i need another set of eyes

    There is no need for anything on the 70 lan to go over the router at 192.168.20.254 and get out to the internet, this is a 2 lan system, which when i have working will use firewall rules to lock down..

    Can anyone please help me with this? It's Late on a sunday..



  • If you are NAT'ing out to your developer network then you would have to have a Static NAT for every service or for every server to get in to the server network from the developer network.
    So add a static and test it. Then add all the other statics, or don't NAT just route. If you remove NAT'ing then everything should work.
    Have the developers got a gateway? If so, and it isn't this box then you would need a route on the gateway for the server network.
    Make sure that the Block Private Networks is not checked for the WAN interface.

    Don't the developers have Internet access?


Log in to reply