Multi-pfSense & Multi-LAN inbound routing issue



  • For the most part my set-up has been working as I intended, but I now need to forward external internet traffic, and this is where I'm struggling to get to grips with things.

    I have two pfSense routers. Both running on the same physical Hyper-V box. One has the WAN connection and runs the main house traffic. I have an Xbox and bit of software that require ports forwarded, which works ok. Xbox is UPnP and the dash software is just a single port.

    The second pfSense router runs my lab environment. This doesn't run DHCP, as I have an Active Directory DC that does all of that good stuff. The labs networks have outbound internet access, via the DCs DNS resolution and the gateway on the main LAN segment (BSG100) in the lab which is 192.168.100.1.

    I'm trying to get external access to the Lab systems from the internet. What I'm actually trying to do is enable DirectAccess, but for now, if I can get onto port 80 of my main virtual server that would put me on the right track. The diagram at the bottom of the post should show you the network layout (I threw it together quickly, so apologies for the mess that it is).

    So on my main pfSense router I have a NAT Port Forward setup to 192.168.100.10, which also creates a firewall rule. I have a gateway on the VMsToInternet interface, which is 192.168.50.1. There is also a route for 192.168.100/0 using this gateway.

    I can ping from the 192.168.100.x network to the Home network on 192.168.0.x, but not the other way around. I'm guessing this is issue #1 that needs to be resolved. Looking at the rules there is nothing that blocks the traffic. I have a HomeLAN source allow to * destination network rule. I also have a * source and * destination allow rule on the VMsToInternet interface (main pfSense side). I also have the same allow everything rule on the 2nd pfSense router too. I can ping 192.168.50.1, which is the interface on the main pfSense router, but I can't ping the 192.168.50.12 (dhcp assigned from main pfSense router) from the home network.

    Looking at the firewall logs on the main pfSense router the ping request isn't getting blocked. I'm not really great with networks and am a little stuck now.

    Can anyone suggest the next steps?


Log in to reply