PfSense as a second router

  • I'm looking to set this up temporally until I move the pfSense box as the front facing router. This is just for testing/practice so that I will know how to layer pfSense routers in the future.

    pfSense is properly assigning IP's as the XP VM received the first IP in the addressable range for he interface it is attached to. The XP VM is able to get resolution for a ping to to an IP but failed to communicate.

    So my 192.168.2.x network cant communicate through my 192.168.1.x network.

    I'm new to burying routers behind other routers. So be kind please as this is new territory that i'm playing with.

    this is version 2.1 x86.

    If you want any additional info just ask.
    ![Network Layout.jpg](/public/imported_attachments/1/Network Layout.jpg)
    ![Network Layout.jpg_thumb](/public/imported_attachments/1/Network Layout.jpg_thumb)

  • That "should" just work out-of-the-box. I make a test system like that from factory defaults all the time. pfSense WAN can be set to DHCP, and get a 192.168.1.x address allocated by the ISP device, or you can pick an unused IP address like as the static IP for pfSense and set the WAN gateway to
    The default LAN allow all rule will let traffic through from your XP client. pfSense WAN will NAT by default towards the ISP device, so the ISP device will have no trouble replying to it.
    What else did you did in addition to factory defaults and assign the physical devices?
    Did you set a gateway on LAN? - don't do that!

  • I'am having a similar setup and facing the same problem.  I am able to ping/ssh from 192.168.1.x but the other way round I can only ping any ssh/telnet connections fails.

    In my setup all devices on 192.168.2.x are virtutal (expect of the host on
    on the physical host ( there are two bridges br1 and br2 bridging eno3 and eno4 interfaces with ip and

    Additionally there is bon0 interface (eno1 and eno2) with ip of

    Netmask is the same on all networks

    /proc/sys/net/ipv4/ip_forward set to 0

    Any thoughts what could I check/do?

  • LAYER 8 Global Moderator

    "or you can pick an unused IP address like"

    Just to be clear - I am like 1000% sure phil would not be suggesting you grab a public IP address out of thin air and use it.. that should of been I have to hope.. ;)

    If you forwarded traffic into a IP behind pfsense, but you can not telnet or ssh..  Either your forward is wrong or those are not listening, or the host has a firewall blocking..  Run through the port forwarding troubleshooting guide.  Or since your on a double nat your coming from a 192.168 address into pfsense wan which would be blocked anyway if you have the block rfc1918 rule there, etc..

    Also you should of created you own post with your own info vs bringing back a thread from 2014..

  • Sorry for opening an old topic.  Basically my problem was solved by disabling hardware checksum offloading, see:

Log in to reply