Total Newbie, need help with setting up a 2nd network behind Pfsense



  • I just started trying out Pfsense a few weeks for the sake of a powerful firewall with bandwidth monitoring & web content filtering, etc, and it works great. I live in South Africa in the land of ridiculously priced internet and so share an internet connection with a neighbor in an apartment using a wireless bridge. The distance is too far for a network cable in our apartment complex so our high powered bridge works great. The connection is based from my neighbor's house and the PFsense firewall is located there using an IP address of 10.0.0.1. I do a lot of streaming from a home media server in my house and it works terribly as to stream movies it has to go across the bridge and back and by that point the it is very slow and doing backups over the network takes a long time. Before using the PFsense firewall, We just had a linksys ddwrt router at my neighbors and in my house I put in aseperate router with the IP address of 192.168.11.1 and a gateway & DNS of 10.0.0.1 and it worked perfectly. I had my own contained network that allowed me to backup and stream within my own house with no problem while I could still connect to the internet over the bridge. HOWEVER, after installing the PFsense as firewall, my router will no longer let me access the internet. I can't understand why. It seems something in PFsense is blocking those settings from working. I would love help to find out how to set pfsense to allow for the different IP network in my house to work on 192.168.11.1. Thank you for your help and I am sorry if this is a stimple or stupid question as my understanding of networking is very minimal. Thanks!



  • Is your router also doing NAT or is it just a router?  If it is just a router, then you will need to setup a route withing pfsense to point 192.168.11.0/24 to something like 10.0.0.30(your routers other ip). Then modify the outbound NAT on pfsense to manual and duplicate the NAT rule for 10.0.0.0/24 and change them to 192.168.11.0/24 so that pfsense will also use the wan address for that.  Finally, modify the LAN default rule to allow the 192.168.11/24 subnet through.



  • @podilarius:

    Is your router also doing NAT or is it just a router?  If it is just a router, then you will need to setup a route withing pfsense to point 192.168.11.0/24 to something like 10.0.0.30(your routers other ip). Then modify the outbound NAT on pfsense to manual and duplicate the NAT rule for 10.0.0.0/24 and change them to 192.168.11.0/24 so that pfsense will also use the wan address for that.  Finally, modify the LAN default rule to allow the 192.168.11/24 subnet through.

    Thank you so much for your help. If Possible, could you be more specific on How & where I change those settings? I followed a detailed tutorial to get it set up, and have no idea how to make the above changes. so, If you had the patience I would really appreciate it. Thanks

    "to set up a route within pfsense to point to 192.168.11.0/24" is Where do I put that setting? Under Firewall/Nat, add a new? THere are just so many settings there I don't know what to do.

    I have the outbound NAT set to manual, but how do I "duplicate the NAT rule for 10.0.0.0/24 and change them to 192.168.22.0/24" I don't know what that means. Under Firewall/Nat/Outband I see the nat rules, do I make a new one? What do I change specifically?

    Lastly, I don't see where to "modify the LAN default rule to allow the 192.168.11/24 subnet through" I assume it is under Firewall/rules/lan, but don't know what to do after that.



  • To setup the route, go to System -> Routing. You will first setup a Gateway and then click on the routes tab to route 192.168.11.0/24 to that gateway.
    Then you will go to Firewall -> Rules -> LAN. The default allow rule says LAN net to any allow. Click on the "+" beside to clone the rule. In the clone edit change LAN net to 192.168.11.0/24.
    Finally in Firewall -> NAT -> Outbound. When you switch from auto to manual (and you have only the LAN subnet) 3 rules are automatically create. 2 for 10.0.0.0/24 and 1 for 127.0.0.1/8. You are going to clone the 2 that are used for 10.0.0.0/24. To do so, click on the "+" beside them. In the clone edit, change 10.0.0.0/24 to 192.168.11.0/24.
    Once everything is saved and applied, you should be able to get to the internet from the 192.168.11.0/24 network.



  • @podilarius:

    To setup the route, go to System -> Routing. You will first setup a Gateway and then click on the routes tab to route 192.168.11.0/24 to that gateway.
    Then you will go to Firewall -> Rules -> LAN. The default allow rule says LAN net to any allow. Click on the "+" beside to clone the rule. In the clone edit change LAN net to 192.168.11.0/24.
    Finally in Firewall -> NAT -> Outbound. When you switch from auto to manual (and you have only the LAN subnet) 3 rules are automatically create. 2 for 10.0.0.0/24 and 1 for 127.0.0.1/8. You are going to clone the 2 that are used for 10.0.0.0/24. To do so, click on the "+" beside them. In the clone edit, change 10.0.0.0/24 to 192.168.11.0/24.
    Once everything is saved and applied, you should be able to get to the internet from the 192.168.11.0/24 network.

    Thank you so much for your help. I have been out of the country for a bit, and just got back home. I really appreciate your help as I really want to get this working as it is frustrating no longer being able to back up or stream. I tried to make all the changes you described. They all seemed pretty clear except for the 2nd step of Firewall–>Rules-->LAN, i clicked the "+" but don't know where to change the LAN net to 192.1168.11.0/24.

    I posted a screen shot of each of the 4 steps above if you are willing to look and confirm that they are all entered correctly, I would really appreciate it. Thanks.

    ![firewall NAT outbound.jpg](/public/imported_attachments/1/firewall NAT outbound.jpg)
    ![firewall NAT outbound.jpg_thumb](/public/imported_attachments/1/firewall NAT outbound.jpg_thumb)
    ![firewall rules edit.jpg](/public/imported_attachments/1/firewall rules edit.jpg)
    ![firewall rules edit.jpg_thumb](/public/imported_attachments/1/firewall rules edit.jpg_thumb)
    ![firewall rules.jpg](/public/imported_attachments/1/firewall rules.jpg)
    ![firewall rules.jpg_thumb](/public/imported_attachments/1/firewall rules.jpg_thumb)


    ![static route.jpg](/public/imported_attachments/1/static route.jpg)
    ![static route.jpg_thumb](/public/imported_attachments/1/static route.jpg_thumb)



  • Okay, first thing is that you have already changed the default LAN firewall rule to allow any source to any destination so a specific rule for 192.168.0./24 is not necessary.
    Second, something is not making sense of the issue you are describing. You are creating another subnet are you not with its own addresses that is going to route traffic back and forth from your new network. You are almost there, but it sounds like to don't have the new network setup yet.



  • @podilarius:

    Okay, first thing is that you have already changed the default LAN firewall rule to allow any source to any destination so a specific rule for 192.168.0./24 is not necessary.
    Second, something is not making sense of the issue you are describing. You are creating another subnet are you not with its own addresses that is going to route traffic back and forth from your new network. You are almost there, but it sounds like to don't have the new network setup yet.

    Thank you again for your help, should I delete that rule then?

    Maybe it wasn't clear what I wrote before. There might actually be a much simpler method than what I am trying to do. I attached two network diagrams, my current setup and my "desired setup." My desired setup was what I had working a couple months ago before I switched to PFsense. It was very simple as I just had a router in my house with the IP address of 192.168.11.1 and a gateway & DNS of 10.0.0.1, and everything just worked. Just wanting my own contained network in my own house and my XBMC and other music, etc don't show up on the other computers in my neighbors network, while obviously still being able to access the internet through the wireless bridge connection.

    Thank you again!

    ![Current Setup diagram.jpg](/public/imported_attachments/1/Current Setup diagram.jpg)
    ![Current Setup diagram.jpg_thumb](/public/imported_attachments/1/Current Setup diagram.jpg_thumb)
    ![desired setup diagram.jpg](/public/imported_attachments/1/desired setup diagram.jpg)
    ![desired setup diagram.jpg_thumb](/public/imported_attachments/1/desired setup diagram.jpg_thumb)



  • That is doable and simple. You already have the allow rule for LAN that will encompass all networks. In the NAT, switch over to manual and create an outbound NAT for 192.168.0/24 by cloning the 2 rules for 10.0.0/24. Head over to Setup -> Routing. Create a new gateway that is 10.0.0.100. In the routing tab, create a new route that says that if you are going to go to 192.168.0/24, you are going to get re-directed to your new gateway at 10.0.0.100. You then just need to setup your router like you did before.

    You can delete that extra rule if you like, it is redundant since the rule below it will also allow it.



  • @podilarius:

    That is doable and simple. You already have the allow rule for LAN that will encompass all networks. In the NAT, switch over to manual and create an outbound NAT for 192.168.0/24 by cloning the 2 rules for 10.0.0/24. Head over to Setup -> Routing. Create a new gateway that is 10.0.0.100. In the routing tab, create a new route that says that if you are going to go to 192.168.0/24, you are going to get re-directed to your new gateway at 10.0.0.100. You then just need to setup your router like you did before.

    You can delete that extra rule if you like, it is redundant since the rule below it will also allow it.

    Thank you for all your help. Got it all working at last! Appreciate it so much!


Locked