Hyper-V pfSense Between 2 LANs



  • I decided to finally test pfSense after hearing about it awhile ago, but I am unable to get it working (even after doing a lot of research on these forums and others).  I'm hoping someone might have some insight.

    My Setup

    I need to keep the ISP router where it is and performing it's current function (acting as a gateway).  So I can't setup a bridge, which I understand would make this easier.  Also, everything from the virtual external switch and on (to the right) is virtualized in Hyper-V.

    Internet–->ISP Router (network=192.168.2.0/24) (IP=192.168.2.1)--->Hyper-V Host with 1 physical NIC (physical NIC is an external virtual switch in Hyper-V)--->pfSense WAN interface (IP=192.168.2.250)--->pfSense LAN interface (IP=192.168.1.1)--->internal virtual switch (network=192.168.1.0/24)--->Server2012R2 VM (IP=192.168.1.254)

    I have my desktop computer wired into the ISP router with an IP of 192.168.2.254.  The Hyper-V host is connected to the external virtual switch with an IP of 192.168.2.253.  I also have another Server2012R2 VM connected to the external virtual switch with an IP of 192.168.2.252.

    My goal is to have the pfSense VM route between the two LANs, 192.168.2.0 and 192.168.1.0

    My Problem

    I can't get internet connectivity on the 192.168.1.0 LAN, which is the one behind pfSense.  From the VM on that side (192.168.1.254), I can ping pfSense's LAN interface (192.168.1.1),  as well as ping pfSense's WAN interface (192.168.2.250).  However, I cannot ping anything beyond that, whether it is my desktop, the ISP router or Google.

    From my desktop located on the 192.168.2.0 LAN (the WAN side of pfSense), I can ping all other hosts on that side, including the ISP router, as well as pfSense's WAN interface (192.168.2.250).  However, I cannot ping the pfSense's LAN interface (192.168.1.1).

    From pfSense itself, I can ping the host on the LAN side, both interfaces, any host on the WAN side, the ISP router, and Google.

    Please note that I'm using IP addresses for my pings.

    My Settings

    -uncheck block private addresses and block bogon networks on both pfSense interfaces
    -tried both without and with a default gateway on the WAN side of 192.168.2.1 (ISP router)
    -tried both disabling any NAT and having automatic NAT
    -the default rule on the LAN interface of allow anything from LAN is there
    -I added a rule to the WAN interface saying allow IPv4 and IPv6 with any protocol from any source to any destination with any gateway

    At this point I just want to get connection to the LAN side and then I can tighten up the rules later.

    If anyone has any suggestions or ideas, I would be glad to hear them!

    Thanks!!

    EDIT: I also tried adding a third virtual NIC (connected to the external virtual switch and with an IP of 192.168.2.249) thus making it a "LAN" interface, so to speak.  I then disabled the WAN interface as well as added a firewall rule for the new interface to allow all, but still had the same issue.



  • @soccer08:

    I decided to finally test pfSense after hearing about it awhile ago, but I am unable to get it working (even after doing a lot of research on these forums and others).  I'm hoping someone might have some insight.

    My Setup

    I need to keep the ISP router where it is and performing it's current function (acting as a gateway).  So I can't setup a bridge, which I understand would make this easier.  Also, everything from the virtual external switch and on (to the right) is virtualized in Hyper-V.

    Internet–->ISP Router (network=192.168.2.0/24) (IP=192.168.2.1)--->Hyper-V Host with 1 physical NIC (physical NIC is an external virtual switch in Hyper-V)--->pfSense WAN interface (IP=192.168.2.250)--->pfSense LAN interface (IP=192.168.1.1)--->internal virtual switch (network=192.168.1.0/24)--->Server2012R2 VM (IP=192.168.1.254)

    I have my desktop computer wired into the ISP router with an IP of 192.168.2.254.  The Hyper-V host is connected to the external virtual switch with an IP of 192.168.2.253.  I also have another Server2012R2 VM connected to the external virtual switch with an IP of 192.168.2.252.

    My goal is to have the pfSense VM route between the two LANs, 192.168.2.0 and 192.168.1.0

    My Problem

    I can't get internet connectivity on the 192.168.1.0 LAN, which is the one behind pfSense.  From the VM on that side (192.168.1.254), I can ping pfSense's LAN interface (192.168.1.1),  as well as ping pfSense's WAN interface (192.168.2.250).  However, I cannot ping anything beyond that, whether it is my desktop, the ISP router or Google.

    From my desktop located on the 192.168.2.0 LAN (the WAN side of pfSense), I can ping all other hosts on that side, including the ISP router, as well as pfSense's WAN interface (192.168.2.250).  However, I cannot ping the pfSense's LAN interface (192.168.1.1).

    From pfSense itself, I can ping the host on the LAN side, both interfaces, any host on the WAN side, the ISP router, and Google.

    Please note that I'm using IP addresses for my pings.

    My Settings

    -uncheck block private addresses and block bogon networks on both pfSense interfaces
    -tried both without and with a default gateway on the WAN side of 192.168.2.1 (ISP router)
    -tried both disabling any NAT and having automatic NAT
    -the default rule on the LAN interface of allow anything from LAN is there
    -I added a rule to the WAN interface saying allow IPv4 and IPv6 with any protocol from any source to any destination with any gateway

    At this point I just want to get connection to the LAN side and then I can tighten up the rules later.

    If anyone has any suggestions or ideas, I would be glad to hear them!

    Thanks!!

    EDIT: I also tried adding a third virtual NIC (connected to the external virtual switch and with an IP of 192.168.2.249) thus making it a "LAN" interface, so to speak.  I then disabled the WAN interface as well as added a firewall rule for the new interface to allow all, but still had the same issue.

    You don' explicitly mention it. But is the PFSense LAN interface on the same internal switch as your 2012 VM?



  • Yes it is.  The Hyper-V host, along with another Server 2012R2 VM and the pfSense WAN interface are all connected to the same external virtual switch (which is the 192.168.2.0 network).  The pfSense LAN interface and the other Server 2012R2 VM are connected to the same internal virtual switch (the 192.168.1.0 network).

    I tried running Untangle last night in the same way (with the pfSense VM turned off) to see if anything would change and it had the same issue.  I tried similar solutions with it, such as having 2 LAN interfaces instead of 1 WAN and 1 LAN, but no luck.

    I'm not sure if this is a basic networking issue or if it has more to do with the virtualized environment.



  • I would guess that you have your clients on 192.168.2.0 network set to a subnetmask of 255.255.255.0 and the ISP router as default GW (192.168.2.1) ?
    in that case it says that anything going to something else than 192.168.2.X should be sent to the ISP router and that router doesn't know that anything going to 192.168.1.X should be routed to 192.168.2.250

    So there is one problem, The easy fix is to add a static route to your ISP router - if it can do static routing.

    For the traffic on the 192.168.1.X network I would say it's a nat problem. That trafic must be masked so that it looks like it's coming from 192.168.2.250 so that your ISP router can handle it.



  • Yes, you would be correct!

    Is there a hard fix for that? lol.  There is no way to enable/implement static routes on the Bell router.

    Must be masked, eh?  That's interesting, I never thought of that!  I was only thinking that I needed to avoid a double NAT situation.  I will give that a try.

    Thanks for the suggestions!



  • So I was able to get it partly working: I enabled automatic outbound NAT, but it still wasn't working at that point.

    I checked the pfSense documentation and apparently in order for NAT to work, you must have a gateway specified on the Interfaces>WAN page.

    I thought having a default gateway pointing to my ISP router on the Routing page was enough.  It turns out I also had to enable the IPv4 Upstream Gateway on the Interfaces>WAN page.  In my previous testing, I never had each of them enabled/specified at the same time.

    So now I am able to ping from the pfSense LAN side (192.168.1.0 network) to any host on the WAN side (192.168.2.0 network), including my ISP router, as well as Google.

    The problem is that nothing on the WAN side can ping anything on the LAN side (most likely due to the lack of a static route in the ISP router as suggested by Mats).

    At least half of the problem is solved now, but again, if anyone has any ideas about this other half, that would be great!



  • @soccer08:

    So I was able to get it partly working: I enabled automatic outbound NAT, but it still wasn't working at that point.

    I checked the pfSense documentation and apparently in order for NAT to work, you must have a gateway specified on the Interfaces>WAN page.

    I thought having a default gateway pointing to my ISP router on the Routing page was enough.  It turns out I also had to enable the IPv4 Upstream Gateway on the Interfaces>WAN page.  In my previous testing, I never had each of them enabled/specified at the same time.

    So now I am able to ping from the pfSense LAN side (192.168.1.0 network) to any host on the WAN side (192.168.2.0 network), including my ISP router, as well as Google.

    The problem is that nothing on the WAN side can ping anything on the LAN side (most likely due to the lack of a static route in the ISP router as suggested by Mats).

    At least half of the problem is solved now, but again, if anyone has any ideas about this other half, that would be great!

    Remember that the devices behind PFSense (In the PFSense protected LAN) are "hidden" from the WAN network. It's the exact same priciple as to why people on the internet cannot ping your desktop computer.

    Just that in this case WAN for PFSense is just another private network.

    You're setup is like this:

    Internet <–- NAT --->  (Public IP) ISP Modem (Private IP) <----NAT----> (192.168.2.250)PFSense <---LAN--->
                                                                                              <----LAN---> Clients directly connected to ISP Modem

    If you want clients connected to the ISP modem to be able to talk to clients behind PFSense you will need to setup appropriate port forwarding and firewall rules to allow the traffic.

    Additionally Mats is correct. If your router doesn't support static routes you can add them to the clients themselves.

    For Windows you can use:
    route add 192.168.1.0 mask 255.255.255.0 192.168.2.250 metric 2 (Add -p for permanent)



  • Thanks JBNixx.  Yeah I ended up setting static routes on the various computers in order to get them working.

    Another quick question for everyone: I am trying to setup CARP.  I have added a second pfSense VM.  I created a private virtual switch in Hyper-V.  I then added a third NIC in each pfSense as OPT1.  OPT1 in the first pfSense is 192.168.3.1/24 and OPT1 in the second pfSense is 192.168.3.2/24.

    However, CARP won't work as I cannot ping between these two interfaces.  I have created the rule on both OPT1 interfaces to allow any protocol from any interface to any source, but no luck.



  • @soccer08:

    Another quick question for everyone:

    Probably best to start another topic/post if you want to attract responses regarding CARP vs. Hyper-V and 2 LAN.


Log in to reply