Building client network in the lab - Pfsense and UniFi

Hey all!

I’m currently setting things up so I can pre-configure setups for clients at our own lab, but I’ve run into an issue. The network I’m configuring consists of a pfSense FW and some UniFi gear, pretty basic stuff.
The fw is configured and it’s WAN is a LAN address behind our company pfSense. It’s a separate lab VLAN that can only go out to the internet.
Devices behind the client/second pfSense can connect to the internet without issues, however it’s not possible to connect the UniFi gear to our controller. That controller is hosted in our company LAN. Pinging it’s FQDN works, but the set-inform fails and the status is “Unkown error (11)”.

I’m thinking it’s related to the double NAT; does anyone know how I can solve this?

Capture

Double NAT isn’t likely to be an issue. Not having a rule for hairpin NAT - aka NAT Reflection for PFSense - is more likely to be an issue. If a device on your LAN (the customer Unifi devices) is trying to reach the public IP of your firewall (because that’s what the FQDN resolves to, and its port forwarded to the controller) then you need hairpin NAT. When the ping succeeds, isn’t that because the FQDN is your public IP, and so the devices are just pinging the firewall/router?

Other possibility is that you said that the client VLAN can only communicate to the internet, you probably need to whitelist your Unifi controller, even if the devices are using your public IP and you have hairpin NAT set up.

1 Like