Two PFsense systems cannot NAT

hansru

Hello,

Having two systems Alix 2C1, running PFSense 1.2RC4, I try to Port Forward the Webgui through NAT. However this fails.

|–-----| |--------|
-- WAN --| PF1 |--LAN------LAN--| PF2 | -- WIFI
|-------| |--------|
| |
DMZ WIFI

I try to NAT, read all documentations, troubleshooting etc.
LAN PF1 is 192.168.16.1 , LAN PF2 is 192.168.16.112, Can PING back and forth, can access both GUI's
from A Laptop in the WAN, however through WAN portforwarding for managing the PF2 remote does not work. Although other devices connected to PF1 and portwarding are working fine.

What am I doing wrong ??

Thanks in advance
Hans

GruensFroeschli

Are your two webGui's on different ports?
You cannot have the webGui of pfSense1 on port 80 and then forward port 80 to pfSense2.

hansru

No ofcourse not,
I have forwarded two other devices on port 81 and 82, I gave the second PFsense port 83 at the WAN, and then the GUI and PF2 at port 80.
The strange thing is I can Ping back and forth..

any ideas?

hansru

anyone having any suggestions ?
I can NAT with two AP's on the same PFSense system, however with an additional PFsense system I cannot NAT to the PFSense system ?
thanks,
Hans

GruensFroeschli

small question: what did you do with the WAN of the PF2?

Could you show a screenshot of one of the NAT rules you did on the PF2?

hansru

I tried it again. But unfortunately no success.
Attached the images of my settings.
Except for the 192.168.16.112 I've made another one to 192.168.1.50. I can ping, get replies etc. but no port forwarding.

Thanks in advance for your help

PF1_adv.jpg_thumb

PF2_adv.jpg_thumb

PF1_NAT.jpg_thumb

PF1_Rules_WAN.jpg_thumb

PF2_Rules_WAN.jpg_thumb

PF2_status_interface.jpg_thumb

GruensFroeschli

again:

|–-----| |--------|
-- WAN --| PF1 |--LAN------LAN--| PF2 | -- WIFI
|-------| |--------|
| |
DMZ WIFI

Where is the WAN on your pfSense 2?
If your "LAN" is the WAN then it will not work.

hansru

Ok, the chart should look like this:

|–-----| |--------|
-- WAN --| PF1 |--LAN------WAN*-| PF2 | -- WIFI
|-------| |--------|
| |
DMZ WIFI

*Wan is 192.168.1.150 (also shown in the images)

hansru

Is there anyone with a good idea how i can NAT two PfSense systems ?
I can ping both back and forth, however no way I can achieve it. It really drives me crazy.

Thanks in advance

GruensFroeschli

ok now i'm really confused:

LAN PF1 is 192.168.16.1

*Wan is 192.168.1.150

How should LAN of PF1 be able to communicate with WAN* if they are not in the same subnet?

Maybe you should make a "clear" diagram of which IP-range is where, and what should have access to where.

Whenever i start setting a new network enviroment up i first sit down with a lot of paper and do the planning work without even thinking about plugging any cables anywhere in or setting up any rules.

hansru

As per your request the diagram:

PFSense1 / Alix 2c1 bios v0.99 / R 1.2RC4 full (on microdrive)
PFSense2 / Alic 2c0 bios v0.99 / R 1.2RC4 full (on microdrive)

PF1 vr0 LAN 192.168.16.1/24 DHCP Server
vr1 WAN 10.0.0.10/24 DHCP client from ADSL modem
vr2 DMZ 192.168.1.1/24 DHCP Server
ath0 Wifi A 192.168.4.1/24 DHCP Server

PF2 vr0 LAN 192.168.16.110/24 Static IP
vr1 WAN 192.168.1.150/24 DHCP client assigned by PF1
ath0 WIFI B disabled
ath1 WIFI C disabled

I can ping from PF1 to PF2 WAN (192.168.1.150) from WAN / DMZ / WIFI /LAN
I can also ping from PF2 to PF1

What I want to achieve is to have access to the WEBgui on PF2 through PF1 to enable remote support. Is there anyone who knows what to do?
It drives me crazy..

network.jpg_thumb

GruensFroeschli

Did you create an advanced outbound NAT entry for your DMZ (and all other OPTx)?
http://forum.pfsense.org/index.php/topic,7001.0.html

Try setting the webgui of pfSense2 on port to (something_else_than_80) and create the rule on pfSense1 accordingly.
DONT forward from 85 to 80 at first.
Just a simple 8181 –> 8181 or so

hansru

ok, thanks for your input.

what i did is i reconfigured Webgui on PF2 to port 8181
I created a NAT port under port Forward

Also created a rule on the WAN. Do not understand what you mean with the Advanced Outbount NAT
Could you please give some guidance.

FIRewall_WAN.jpg_thumb

NAT.jpg_thumb

GruensFroeschli

The firewall rule should have as source-port * and NOT 8181.
If a client initiates a connection to you it orginates from a random port. NOT the same as the destination port.

To the advanced outbound NAT rule:
Read the link i provided above!:
http://forum.pfsense.org/index.php/topic,7001.0.html
@http://forum.pfsense.org/index.php/topic:

If you want to have Internet access from multiple LAN subnets (on various OPTx interfaces) enable Advanced outbound NAT.
You need to create a rule for every subnet you want NAT'ed.
Alternatively you can change the source of single existing rule from LAN to "any" thus NAT'ing everything.
(screenshots to clarify: http://forum.pfsense.org/index.php/topic,7693.0.html )
This might create a problem for FTP with multiWAN
more here: http://forum.pfsense.org/index.php/topic,7096.msg40810.html#msg40810

hansru

Thanks for the fast response,

It has now be changed. However the AON does bother me. Í've read it several times, but do not fully understand this. does not work yet.

regards,

AON.jpg_thumb

Firewall_Wan_v2.jpg_thumb

GruensFroeschli

The AoN rule you create basically tells pfSense manually which subnets should be NATed where.
With the rule you created you NAT your DMZ-subnet to WAN (which you want).

You will need to create another rule for every subnet you want NATed too (ie. WifiA and LAN in your diagramm).

so it stil does not work.
hmm,….

Did you change the source port to * on the pfSense 1 firewall rule too?

hansru

Yep, the rule in the firewall has also been updated to *

Attached the AON's for the three interfaces.

Still not succesful. Did you read my PM ?

regards,

AON2.jpg_thumb