Two Subnets



  • Dear All,
    i am new to Pfsense, just moved on from Vyatta,
    i managed to configure the Pfsense as firewall and is working fine.
    i have some small issues hope someone can help me,

    i have the next configured :
    Internet >>>> ISP Gateway ( 192.168.2.0/24  >>>>> PFsense>>>> 10 VM ( 192.168.4.0/24)
    the problem is when i am with a client from the 192.168.2.0/24 i can't ping /connect the Vm behind the PFsense however i already have created a rules on the WAN interface to allow everything to the LAN !
    otherway arround when i am on the 192.168.0/24 i can ping the subnet 192.168.2.0/24 and the machines behind.

    can someone please put me on the right road to get this fixed?

    Much appreciate



  • Hi Jamerson,

    The WAN interface has an option that by default blocks traffic from private networks, such as 192.168.2.0/24. The option on the WAN interface is called "Block private networks". You need to disable that, otherwise pfSense just blocks the traffic, even if you have created rules that allows the traffic.



  • And the client in 192.168.2.0/24 will need a route to 192.168.4.0/24 through the pfSense WAN IP - or the ISP gateway will need to know a route to that (and then you will have asymmetric routing also). The pfSense LAN subnet numbers will be quite well hidden from the WAN side.



  • @vindenesen:

    Hi Jamerson,

    The WAN interface has an option that by default blocks traffic from private networks, such as 192.168.2.0/24. The option on the WAN interface is called "Block private networks". You need to disable that, otherwise pfSense just blocks the traffic, even if you have created rules that allows the traffic.

    Thank you for your answer, however this already disabled ( not selected)  on both WAN and LAN,



  • @phil.davis:

    And the client in 192.168.2.0/24 will need a route to 192.168.4.0/24 through the pfSense WAN IP - or the ISP gateway will need to know a route to that (and then you will have asymmetric routing also). The pfSense LAN subnet numbers will be quite well hidden from the WAN side.

    Thank you for your answer,
    how can i do the routing from WAN to LAN thought the PFSENSe?
    thank you



  • It is possible to use pfSense as the gateway from the WAN side, and then pfSense will route all the traffic received from clients on the WAN side, to either the LAN or back across WAN to the internet. I have done this in some places. In some ways it is a little unusual - but it gets around the issues of the clients on WAN side having multiple gateways (ISP device to internet and pfSense WAN IP to get to pfSense LAN. Or of having the extra route on the ISP device, and then having asymmetric routing happening.
    a) On pfSense, enable DHCP on WAN and give it a pool of WANnet IP addresses. The WAN-side clients will get the pfSense WAN IP as their gateway and DNS server.
    b) Disable DHCP server on the ISP device - so pfSense WAN-side clients will always get DHCP from pfSense.
    c) Firewall-NAT-Outbound - enable Manual Outbound NAT. Add a rule to NAT from source WANnet destination any, to WAN IP - that will NAT your WAN-side clients, similar to the way your LAN-side clients are already NATed.
    d) Add firewall rules on WAN to allow incoming traffic from source WANnet (I think you already have this)

    Now the WAN-side clients will be routed through pfSense and NATed in the same way as if they were just another LAN on the pfSense. As a result, they will also have routing to LAN for free, and will find any DNS names for LAN-devices that are available to the pfSense DNS Forwarder.

    Edit, add: In this configuration the ISP device is effectively your firewall protecting you from the outside world. If the ISP device is not port forwarding anything in to anywhere then any attacks from the ISP public WAN side simply will not be seen. Sometimes in this scenario I define a 1:1 port forward on the ISP device to forward everything to the pfSense WAN IP (often this is mis-named on ISP-devices as "DMZ"). This makes pfSense WAN the real firewall again. Then I can allow things I want at pfSense WAN (e.g. have an OpenVPN server listening on pfSense WAN IP…) and I can see what else is arriving if I care by making "block and log" rules.



  • thank you sir !
    if you are sometimes in Holland let me invite you to some bier :)



  • @Jamerson:

    thank you sir !
    if you are sometimes in Holland let me invite you to some bier :)

    Happy to help. I will have to raise some funding to make a world trip collecting beers  ;)



  • @phil.davis:

    @Jamerson:

    thank you sir !
    if you are sometimes in Holland let me invite you to some bier :)

    Happy to help. I will have to raise some funding to make a world trip collecting beers  ;)

    you are most welcome here mate !
    let me know on privat when you are coming !