Routing between LANs

raleighr3

Hi All,
I am new to using pfSense and am still trying to learn how to use it correctly. I have what I think is a simple problem but am having difficulties in finding the solution.

What I have is a Xen XCP 'cloud' that I am using to house all my development servers. These are all on a private 172.16.1.x LAN. The Xen host is sitting in 10.3.1.x private LAN (the Corp. network) and all of my desktop machines are also in this network.

I have pfSense running in a Xen VM and is acting as the gateway/firewall/router/etc for all of the other VMs. This is all working just fine, no issues with any of the Xen VMs getting out to the Corp. LAN or the internet at large.

Now what I would like to be able to do is have a way for a machine on the Corp (10.3.1.x) network get to the Xen LAN (172.16.1.x). I've done similar things in plain old linux with iptables and setting up a static route on the client. But I don't see how to achieve the same using pfSense.

Here's a picture that will hopefully help:

+–-------+------------+ +-----------------------+
| Xen XCP Cloud LAN +-------------->| Corp LAN |+--------->internet
|----------------------+ |-----------------------|
| Private | | Private |
| 172.16.1.0/24 | | 10.3.1.0/24 |
| | | |
|+-----------+ | | |
|| pfSense +--WAN------------------->| |
|| 172.16.1.1|(10.3.1.100 DHCP) | |
|+----+------+ | | |
| |LAN | | +-----------+ |
| v | | | hosts |+ |
|+-----------+ | | | 10.3.1.x |-+ |
|| hosts |+ | | +-----------+|| |
|| 172.16.1.x|-+ | | +|---------+| |
|+-----------+|| | | +----------+ |
| +|---------+| | | |
| +----------+ | | |
+----------------------+ +-----------------------+

So, for example, I would like for host 10.3.1.100 to be able to reach 172.16.1.x. It is okay (and in fact desirable) if I have to manually add a route on the 10.3.1.100 host machine to get to 172.16.1.x.

Right now I am using OpenVPN to do achieve the goal, but this is less than desirable due to the administrative, management and performance hassles it causes.

I am using the following:

*** Welcome to pfSense 2.0.2-RELEASE-pfSense (i386) on pfsense ***

WAN (wan) -> re0 -> 10.3.1.132 (DHCP)
LAN (lan) -> re1 -> 172.16.1.1

thanks,
-raleigh

dhatz

pfsense by default enables outbound NAT between LAN and WAN (because that's what 95% of people want).

In your case, you can either do port-forwarding or you could just enable standard IP routing between "Xen XCP Cloud LAN" and "Corp LAN".

To achieve the latter:
1. go to Firewall -> Rules -> WAN, and disable the default "Block private networks" rule.
2. go to Firewall -> NAT -> Outbound, and enable AON / Manual Outbound NAT. It will show all auto-created rules, which you can delete.

Next you only need to create a static route for 172.16.1.0/24 on your "Corp LAN" router via your pfsense, and you'd be ready to go!

podilarius

You can have all kinds of fun here. Routed ips are the best. You can also create a partial NAT. Where a you would switch to advanced outbound NAT. On all the automagically create rules add a destination of !10.3.1x/24 so that if it is not going to the corporate LAN it will NAT. The you can create a persistent route in either the corp LAN default gateway or a persistent route in 10.3.1. <host>such that everything to 172.16.1.x/24 goes to the wan ip of pfsense. In both cases you need to have an allow rule in wan to pass the traffic.
This way if traffic is bound to the Internet you don't have to do anything on the corporate fw to NAT traffic for that subnet. So many options, fun can be had all around.</host>

manderso

@dhatz:

pfsense by default enables outbound NAT between LAN and WAN (because that's what 95% of people want).

In your case, you can either do port-forwarding or you could just enable standard IP routing between "Xen XCP Cloud LAN" and "Corp LAN".

To achieve the latter:
1. go to Firewall -> Rules -> WAN, and disable the default "Block private networks" rule.
2. go to Firewall -> NAT -> Outbound, and enable AON / Manual Outbound NAT. It will show all auto-created rules, which you can delete.

Next you only need to create a static route for 172.16.1.0/24 on your "Corp LAN" router via your pfsense, and you'd be ready to go!

So I think this is what I want to do, but I'm not certain. I hope I'm not hijacking, and if so, please let me know and I'll open a new thread.

I've setup a homelab inside an esx 5.1 machine, with a couple of windows hosts inside. Outside WAN is 10.0.1.0 and inside is 192.168.1.0. As it stands currently, inside the LAN can communicate with the LAN, but WAN cannot talk to LAN. I understand the firewall is in the way, but I'm having a hard time configuring it.

What I want is for my hosts outside the VM LAN to be able to communicate with the hosts inside the 192.168 LAN, and I think the post that dhatz addresses this, but I'm still not understanding the particulars. For instance:
I don't have a Block Private Networks rule, but a Block Bogon Networks. Is that the same thing? Also "…create a static route for 172.16.1.0/24 on your "Corp LAN" router via your pfsense" confuses me. Is this configured on pfsense, and if so, where?

I'm sorry if I'm asking stupid questions, but the tutorial/documentation I've found hasn't been of any help.

Thanks for any assistance.

raleighr3

Thanks to everyone for their hints and suggestions.

Here is what I ended up doing that seems to work.

Add a new firewall rule:
proto: any, source: WAN, port: any, dest: any

then on a host in the Corp LAN:

route ADD 172.16.1.1 MASK 255.255.255.0 10.3.1.100

and voilà!

I am intrigued by the notion of doing partial NATing and am going to try playing around with that.