OPT1 <> OPT2 using local IPs?

  • I'm new to pfSense and pretty much a networking noob as well.
    I'm moving my network from using TomatUSB but I can't make pfSense work the way I want (works on TomatoUSB).

    Ok. So I have two different networks and pfSense in between them. The networks have two different subnets.
    The first network (OPT1 interface) is actually an old existing network with it's own gateway and DHCP server which pfSense gets an IP from. The second network (OPT2 interface) is a new network that is going to be managed by this new pfSense instance.

    COMP1 --------------------- (OPT1) | pfSense | (OPT2) ------------------------ COMP2
        IP:                                                                       IP:
    SUBNET:                                                                  SUBNET:                                                            
        GW:                                                                         GW:                                                                        

    Now what I want is that when COMP2 connects to COMP1, COMP1 will see COMP2's real local IP, i.e. The problem is that it doesn't, instead it thinks that the pfSense machine is connecting ( Exactly the same way NAT works with WAN/LAN…

    In TomatoUSB in "LAN Access" I connect different networks and all the computers in the two different networks can see each other with their real IP's.

    Since I'm not a networking expert I don't even know the correct term for what I'm trying to do.
    I would really appreciate your help in pointing me in the right direction where to look or if you know exact solution.


  • Your system is probably, quite rightly, setup with OPT1 in the role of a WAN (has a gateway to get out to the internet) and OPT2 in the role of an ordinary LAN. In that case there will be Automatic Outbound NAT being applied.

    1. Firewall->NAT->Outbound - select Manual Outbound NAT and save. Then delete all the rules that it generates that NAT out on OPT1.
    2. The client system in OPT1 will need to know how to reply to the subnet on OPT2. Add a route to the "real gateway device" in OPT1 ( that makes a route to through
    3. If you want to allow devices in OPT1 net to initiate connections to devices in OPT2 net, then add pass rules on pfSense OPT1. Note that responses by OPT1 devices to connections initiated from OPT2 devices will happily traverse the firewall anyway, as there will be a matching state already established.

    I presume you also have a "real" pfSense WAN on some device that goes direct to the internet, and perhaps another subnet on LAN - otherwise the 2 subnets you mention here wold not be labelled OPT1 and OPT2. But I don't think the existence of ordinary WAN and LAN also would invalidate any of the steps above. Only that you have to be careful in step (1) to not delete any NAT rules that NAT out the real WAN.

  • Thanks Phil, I followed your steps carefully (not deleting NAT-rules for WAN) and it works perfectly :)

    So the problem was that NAT was automatically used for OPT1. I Didn't know pfSense did this by default (which is good thing for most setups I guess).

    Yes, you are correct that I also have a WAN and LAN already setup on the pfSense Machine. WAN (and not the gateway in OPT1) is currently used to give OPT2 (and LAN) access to the internet.

    Thanks again!

  • Happy to help.
    For the benefit of other readers - if an interface has a gateway set, then pfSense by default assumes it is a WAN-style interface, a pathway to the public internet, so things like automatic outbound NAT are done on those interfaces to translate LAN IPs into WAN IPs suitable for the public internet.
    If you have a LAN like this OPT1 that is just a local subnet with a gateway to other internal networks, then you do not have to set that internal gateway as the actual gateway on the interface settings. You can just add a gateway in System->Routing and then add static route/s telling pfSense what internal networks are reached through that gateway. Then pfSense will understand that it is not a gateway out to the public internet in general.

Log in to reply