Secondary network behind LAN can not access internet



  • Greetings,

    I have been an extensive user of IPCop for many years.  Recent necessities for dual WAN support have required me to look in another direction.  Discovered IPSense and have become quite excited about it.  Have aquired the package, set up a firewall and have began the farmiliarization process.  Thus far… I found it a bit cumbersome to configure port forwarding as I have never had a requirement for dual entry (NAT/Firewall) when defining the port forwards on any physical router and certainly no other software based router but I finally figured it out and am functioning there.

    My current shortcoming has to do with an environment set up as follows:

    [Store2 - 192.168.1.0/24] –> [T1 point to point] –> [Store1 - 192.168.10.0/24] –> [192.168.10.1 - PFSense - aaa.aaa.aaa.aaa] –> [sDSL]

    In the above configuration, Store2 is a remote store connected to the primary store (Store1) via a point to point T1 and uses POS services off of server at Store1 as well as internet access through Store1's internet connection.  It is in this configuration that I am looking to employ the dual wan configuration however I have not yet activated the secondary WAN connection yet.  I replaced an IPCop firewall with PFSense to handle this transition.  When I changed them out however Store2 could no longer access the internet through the PFSense box.  There is a static route which was required in the IPCop box, and works, that I also put into the PFSense box.  This has allowed me to ping the LAN port of the PFSense box from Store2 and also to reach any device in Store2 remotely from the internet through the PfSense box but it will not let any Store2 device reach the internet through the same PFSense box.  Also, no Store2 device can ping the WAN port on the PFSense box…. (pinging is another issue... have not been able to successfully ping the PFSense WAN port from the internet at all).

    Having said all that... Store1 has full access to the internet through the same box and as I stated... I can get to any workstation at Store2 from the internet through the PFSense box (using PCAnywhere and remote desktop for example).

    The static route is:

    192.168.1.0 netmask 255.255.255.0 gw 192.168.10.139.

    The static route does show up in the routing table and is assigned to the correct interface.  192.168.10.139 is the ip address of the local T1 point to point router connecting Store1 to Store 2.

    I can swap the IPCop box with the PFSense box and Store2 has internet accessibility again.

    Can anyone shed some light on this?

    Thanks a bunch.



  • On your LAN interface you need to allow traffic from the remote subnet additional to the local one.
    Have you done that?

    So additionally to letting pass http or/and HTTPs traffic for 192.168.10.0/24 you have to allow traffic for 192.168.1.0/24 as well on the LAN if.



  • @hdokes:

    (pinging is another issue… have not been able to successfully ping the PFSense WAN port from the internet at all).

    If you dont have a rule in place that allows this it will be blocked.
    You have to create an allow rule on the WAN-tab for this.



  • I tried to set a rule for the firewall to allow ICMP pinging however I failed miserably at it.  Can you provide the proper syntax for the rule?  I am accustomed to seeing a check box or the like to allow/dissallow ICMP pings but I could not find that in PFSense.

    Also… I will add the other network to the LAN port.  Is it safe to say then that PFSense actually 'acts' as a proxy for all outbound traffic as well instead of just allowing any LAN side traffic through.  If so... this too would not be typical of what I have seen in every device/software I have touched (30 years of touching :) ) without implicitely activating such a feature.  Also... if it does... can anyone describe the advantage for controlling by network on the LAN side and not going further... i.e. port number... specific IP... etc.

    Thanks for your repsonses.



  • maybe you should read this:
    http://forum.pfsense.org/index.php/topic,7001.0.html

    how an ICMP rule should look like in the attachment.
    For the checkboxes… i feel this is bad practice since these "checkboxes" do nothing else than add a firewall rule.

    if you're not using a VLAN capable switch you will need a second NIC since you cannot have multiple subnets on a single interface (at least not through a "supported" way).

    no pfSense does not act as a proxy (unless you install a proxy on it).
    It is a (NAT)router.

    Something else i just noticed.
    Do you use automatically created NAT rules or Advanced Outbound NAT?
    Try enabling AON and create a second rule for your second subnet.
    The standard rule (automatically created) will only NAT your immediate LAN and not another subnet.




  • Thanks for the ICMP rule example.  I did not see the reference to ICMP under the protocol… makes sense.

    Regarding a VLAN switch requirement.  It's not.  The remote network is connected via a T1 point to point with proper static routing to move internet requests from the remote network through the local and out the firewall.  This approach has worked with every piece of equipment we have had in play except the PFSense firewall.  Near as I can tell... this has to be because the PFSense is not truely a router.  With the static route... it should accept any IP address on the LAN being forwarded from another router (which is what is occuring here) and pass it through.  It works this way with a linksys, a cisco, a netgear, and software routers such as smoothwall and IPCop without a need to apply the secondary network subnet to the ethernet adapter.  So unless PFSense is working as a 'proxy' and limiting local hops... i.e. T1 point to point router to gateway router.... it should pass them through.  Afterall... this is routing isn't it :) .

    So unless there is a compelling reason to believe that the PFSense is not 'routing' internally... which by the way... it actually does do from the outside in (refer to my inital post here where I can remote desktop and PCanywhere to machines at the end of the point to point T1) then I still have an issue and still need some assistance.

    Regarding NAT .vs Firewall rules.  As I stated before... this is the first time I have ever had to insure that there were rules in two different locations to allow port forwarding.  You are correct, I am using the 'automatically create Firewall Rule' from the NAT rules entry screen.  I'm not sure how this should work....

    "Try enabling AON and create a second rule for your second subnet.
    The standard rule (automatically created) will only NAT your immediate LAN and not another subnet."

    if the router never 'touches' the Store2 network but rather is 'routing' the request being posed by 192.168.10.139 (the ethernet adapter of the T1) which is on the local subnet.

    If I am incorrect can you help me to understand your thought process a bit more or what I may be overlooking?



  • your diagram of where what is confuses me a bit to be honest.

    is it like this?

    store2-LAN (192.168.1.0/24)
                        store2_router
      store2-WAN (192.168.10.139/24)
                            |
                      T1_bridge
                            |
                            | (T1-line)
                            |
                      T1_bridge
                            |
      store1-LAN (192.168.10.1/24)
                    pfSense
      store1-WAN (aaa.aaa.aaa.aaa)

    if yes: i assume your 192.168.1.x clients have your store2_router as gateway.
    now i further assume that your store2_router does no NAT.

    so the packets arriving at the pfSense have as source 192.168.1.x
    but pfSense only NAT's traffic originating from within 192.168.10.0/24 (the immediate LAN subnet).
    If you want it to NAT more than just the immediate LAN you need to make an advanced outbound NAT rule telling pfSense to NAT whatever subnet you want too.
    Alternatively you can change the automatically created rule for LAN from "lan-subnet" to "any" (might create a problem with ftp if you use multiwan).
    So the right way would be to create 2 advanced outbound NAT-rules telling pfSense to NAT 192.168.1.0/24 and 192.168.10.0/24 to WAN.

    as jahonix pointed out you also need to create rule on your LAN interface allowing traffic from your store2 subnet.

    the static route for 192.168.1.x pointing to 192.168.1.139 should simply work.

    as for your confusion about having to set NAT rules and firewall rules separately:
    when you create a NAT forwarding a corresponding firewall rule is automatically created.
    if the problem is that if you have to change something you have to do it it 2 places: use aliases in your rules and then just change the alias.



  • Hey there…

    You are quite close with the layout... perhaps this will help......

    store2-LAN (192.168.1.0/24)
                            |
        store2 point to point (bridge) router - (cisco 1700)
          (LAN interface - 192.168.1.138)
                            |
        store2 poing to point (Bridge) router
          (WAN interface -10.0.0.2)
                            |
                            | (T1-Line)
                            |
      store1 point to point (bridge) router - (cisco 1700)
        (WAN interface - 10.0.0.1)
                            |
      store1 point to point (bridge) router
        (LAN interface - 192.168.10.139)
                            |
      store1 gateway router (PFSense)
        (LAN interface - 192.168.10.1)
                            |
          store1 gateway router
    (WAN interface - aaa.aaa.aaa.aaa)

    There are the appropriate static routes within the bridge routers to provide access from store2 to store 1 and from store2 to the internet through the gateway at store1.  This has been working flawlessly for years... with various gateway routers described above... the most recent being a hybrid using IPCop.

    And currently... everything works accept store2's ability to get past the LAN adapter in the gateway.  You are correct.... all systems at store2 point to store1's gateway and have the appropriate persistant static routes to get there.

    You are also correct in that there is no natting going on at store2.

    The static route for 192.168.1.x point to 192.168.1.139 does work as evidenced by my ability to get to the machines at store2 from the wan of the gateway.

    I understand your reference to having to set up a secondary NAT on the lan subnet.  I only know I have never had to do this on any other piece of equipment or on the LAN adapter to 'allow' the additional subnet.  Is it possible that other equipment have 'discovered' this route automatically and PFSense is not?  Or that by virtue of defining the static route inbound that these other pieces of equipment can understand how to 'return' a request from store2?

    I also understand the PFSense requirement in which if a NAT rule changes the corresponding firewall rule must also change.  I just have never seen any equipment (in 30 years) require management of two entries when dealing with 'port forwarding'.... in the end... that's all we are talking about.  Seems like a very cumbersome way to handle it..... but I can adapt.... After all... I have oppossing thumbs....  :) And look!  I can get to all pieces of equipment from the outside in.  For both store1 and store2.  Doesn't it stand to reason that the PFSense gateway must be Natting to store2 if I can access services on that end from the gateway WAN?

    I apprecaite your assistance... let's keep talking... I will also continue to test at this end.

    Thanks.



  • @hdokes:

    I understand your reference to having to set up a secondary NAT on the lan subnet.  I only know I have never had to do this on any other piece of equipment or on the LAN adapter to 'allow' the additional subnet.  Is it possible that other equipment have 'discovered' this route automatically and PFSense is not?  Or that by virtue of defining the static route inbound that these other pieces of equipment can understand how to 'return' a request from store2?

    It's not a second NAT. It's NAT at all.
    without adding a rule to NAT your second subnet pfSense will never NAT traffic originating from anything else than the immediate LAN-subnet.
    pfSense does by default nothing. (ok almost nothing)
    You need to tell it what is allowed and what not.
    This might be not the most user-friendly approach but it is surely a more secure approach.
    I think it's good that it NAT's per default only the immediate LAN subnet and not anything else.
    Imagine someone you dont know puts a router (wlan?) somewhere into your network without you knowing. He now can just use a different subnet over your company subnet.
    If you NAT only subnets you "thrust" you can lower the risk of someone abusing your network.

    @hdokes:

    I also understand the PFSense requirement in which if a NAT rule changes the corresponding firewall rule must also change.  I just have never seen any equipment (in 30 years) require management of two entries when dealing with 'port forwarding'

    Doesn't it stand to reason that the PFSense gateway must be Natting to store2 if I can access services on that end from the gateway WAN?

    When you have different rules for NAT and the Firewall:
    You can have scheduled firewall rules. –> indirect scheduled NAT ;)

    I'm sorry but i dont understand what you mean with the second.
    NAT from where? from the outside? and from which gateway WAN?



  • @hdokes:

    I also understand the PFSense requirement in which if a NAT rule changes the corresponding firewall rule must also change.  I just have never seen any equipment (in 30 years) require management of two entries when dealing with 'port forwarding'…. in the end... that's all we are talking about.  Seems like a very cumbersome way to handle it..... but I can adapt....

    Look at it this way: it's just way more granular when you can control each aspect of the ruleset.
    Lot's of other routers only offer an 'allow all' rule in the background and do NAT only. You may then add some blocking rules but tha's all.
    Easier to setup: Yes. Better to control: No.

    @hdokes:

    And look!  I can get to all pieces of equipment from the outside in.  For both store1 and store2.  Doesn't it stand to reason that the PFSense gateway must be Natting to store2 if I can access services on that end from the gateway WAN?

    Sure, all seems fine here.
    The only thing to be done is getting traffic from store2 through LAN of pfSense (to the INet), right?
    The IP header still contains the subnet 192.168.1.0/24 from store2 which pfSense (on 192.168.10.0/24) by default does not pass.
    A rule on the LAN's rule tab should handle that.

    An alternate aproach might be to change the subnet of your pfSense's LAN if to something like 192.168.0.0/16 but IMHO that'll break other things like broadcasts.
    If pfSense is your gateway router ONLY it may work - if it is a DHCP server for your local LAN it doesn't…



  • Ok Gentleman,

    Currently on site.  Attempting to set up subnet on LAN one and subsequent NAT rule but not having success.  Also pretty sure I am not doing it correctly here.

    I set up a virtual IP for the network 192.168.1.0/24 on the LAN interface.  Every time I go back to edit this rule it shows the IP address as a single address even tho I set it to a network with the 24 subnet (it may be this is what it defaults to every time the edit window is opened.  The entry looks like this:

    Virtual IP address  Type              Description

    192.168.1.0/24     [Proxy ARP] NAT rule for North Store

    I then went to firewall NAT outbound and entered the following:

    ON -  Automatic outbound NAT rule generation (IPSEC passthrough)

    OFF - Manual Outbound NAT rule generation (Advanced Outbound NAT (AON))

    Interface Source             Source Port Destination Destination Port NAT Address NAT Port  Static Port Description

    LAN            192.168.1.0/24   *                 *           *                   192.168.1.0     *
    NO Out Bound NAT rule for North Store

    I still do not get beyond the LAN interface for any Store2 traffic.

    Can you provide some corrective syntax for what I may be doing wrong?



  • um..
    Unless you want to host something on the store2 network you dont need VIP's –> delete all VIP's.

    I think you missunderstood what Advanced Outbound NAT is about.
    With AON you define how the router NAT's.
    This is not the same as forwarding a port.

    you need to enable AON
    --> disable automaticly created rules.

    OFF - Manual Outbound NAT rule generation (Advanced Outbound NAT (AON))

    Interface    Source                Source Port    Destination    Destination Port    NAT Address    NAT Port  Static Port    Description   
    WAN          192.168.1.0/24      *                  *                *                      *                    *              NO
    WAN          192.168.10.0/24    *                *                  *                    *                    *              NO

    The Interface is the interface to which the traffic will be rewritten to.
    You want that packets originating from within your network appear to the outside as if they originate from your WAN-interface.



  • Ok… I understand.

    Changed configuration to reflect what you had shown.  Removed VIP's and changed to AON on and it shows both network routes as you had depicted.  I still am having issues pinging beyond the LAN port.  Are there any other entries I may be overlooking? ... i.e. NAT or Firewall Rules?

    Thank you for your assistance on this.



  • So are you now able to reach the internet from your store2?

    What exactly do you mean you have ussues pingin beyond the LAN port?
    I need information like from where you are pinging what.
    Could you write from what IP you are trying to ping the target IP?



  • I can ping from store2 to the LAN interface of the PFSense router. 
    I can not ping from store2 to the WAN side of the PFSense router.
    I can not ping from store2 to the internet (beyond the PFSense router).

    I can ping from the local network (Store1) to the WAN address of the PFSense router.

    I can remote access any device at store2 from the internet (using remote desktop and PCAnywhere)



  • Allow me to confirm whether or not I am understanding this correctly… and thank you for your patience and indulging me....

    As there is port forwarding on the PFSense box from the outside in... (firewall rules - apply to WAN interface) so too is there port forwarding from the inside of the box out (Nat Rules - apply to LAN interface).  The two are not synonymous but rather the system allows for auto creation of a firewall rule as a convenience when you are setting Nat Rules for outbound traffic?

    If I am correct here... would I also be correct then that I could set two primary NAT rules for both networks in the following fashion?

    If        Proto    Ext. port range    NAT IP    Int. port range    Description

    WAN    TCP              any    192.168.10.0/24            any          Allow all ports outbound for Store1
                                                                            (ext.: xxx.xxx.xxx.xxx)

    WAN    TCP              any    192.168.1.0/24            any          Allow all ports outbound for Store2
                                                                            (ext.: xxx.xxx.xxx.xxx)

    Would this be accurate based on my assumptions and would it be required?



  • Could you provide all rules you have on your LAN-interface?

    When you try to ping and it does not work: do you get any entries in the firewall log?



  • The pings are being logged from the correct Store2 IP address and shows the WAN address as the destination… the msg associated with the log entry is:

    @124 Block drop in log quick all label "Default block all just to be sure."

    The NAT outbound rules are:

    Interface  Source  Source Port  Destination  Destination Port  NAT Address  NAT Port  Static Port  Description 
    [add new mapping]
    WAN  192.168.1.0/24 * * * * *
    NO
    Out Bound NAT rule for North Store 
    [edit mapping]
    [add a new nat based on this one]
    WAN  192.168.10.0/24 * * * * *
    NO

    I have many NAT rules for the WAN interface to accommodate internal services such as remote desktop and PCAnywhere access.  There are no Internet services requiring external access from the internet at this time.

    There are currently no explicit rules for the LAN adapter for either network other than these outbound references.



  • Hello!!!

    I have a same problem respect a hdokes ( excuse me my English its not the better  ;) )

    The scheme is the following one.

    –-------- x.x.x.x
                                    |    DSL    |____________      INET
                                      ----------
                                            |192.168.1.1
                                            |
                                            |192.168.1.100
                                      ----------
                                    | pfsense  |
                                      ----------
                                            | 172.16.1.100
                                            |
                                            |
                                      ---------                              VLAN 1
                        ---------| Switch  |--------------------  PC
                        |            ---------                              172.16.1.1 /24
                        |
                      Router
                        |
                        |
                      Switch
                        |
                        |
                        PC          VLAN 2
                    172.16.0.1 /24

    VLAN 1 can access internet
    VLAN 2  can not access internet
    pfsense

    VLAN 1 to VLAN 2 ping OK
    Vlan 2 to Vlan 1 ping ok
    Vlan 1 to pfsense (172.16.1.100) ping OK
    Vlan 2 to pfsense (172.16.1.100) ping OK
    Vlan 1 to DSL ping OK (Any Address)
    Vlan 2 to DSL ping NO
    Vlan 1 to HTTP access OK
    Vlan 2 to HTTP acces NO

    The NAT outbound rules are:

    Interface    Source                Source Port    Destination    Destination Port    NAT Address    NAT Port  Static Port    Description 
    WAN          172.16.1.0/24          *                  *                *                      *                    *              NO
    WAN          172.16.0.0/24          *                  *                  *                    *                    *              NO

    The problem its the can not access from VLAN 2

    thank's for the answer.



  • @hdokes: Could you also provide the FIREWALL-Rules on the LAN tab?
    You need 2 similar rules on the Firewall tab (Like jahonix said in his first post).

    @jor-el: The same goes for you. but you need an allow-rule on your OPTx interface on which your VLAN2 is.



  • Ok… back at it on site again.

    The firewall rules for the LAN tab consist only of the following:

    Proto  Source  Port  Destination  Port  Gateway  Schedule  Description

    • LAN net   *         *        *   *                     Default LAN -> any

    Still trying to make it work... any assistance is much appreciated.



  • @jahonix:

    On your LAN interface you need to allow traffic from the remote subnet additional to the local one.
    Have you done that?

    So additionally to letting pass http or/and HTTPs traffic for 192.168.10.0/24 you have to allow traffic for 192.168.1.0/24 as well on the LAN if.

    so it has to look like this:

    Proto    Source                Port    Destination    Port    Gateway    Schedule    Description

    *          LAN net                *            *            *      *                            Default LAN -> any
        *          192.168.1.0/24      *            *            *      *                            store2_subnet -> any



  • GruensFroeschli…. you are a tonic for my befuttled brain.  That worked!  :)

    Still not sure that I fully understand it but let me digest it here a bit and I will follow up here with some closing comments.

    Thanks again to everyone who assisted.... I really appreciate it.


Log in to reply