Lab Firewall Routing Issue

696039d4m5s8 · May 6, 2021, 2:25pm

I have two lab servers, both in the 172.16.1.1/24 range. One is being used as a NAS while the other is being used as a hypervisor. The ESXi server contains the pfsense firewall with VM’s in the 192.168.1.1/24 range. The VM’s are unable to access the NAS. What settings do I need to modify in pfsense so the VM’s on 192.168.1.1/24 can hit the NAS at 172.16.1.2?

NAS - 172.16.1.2
ESXi - 172.16.1.3
pfsense lab firewall WAN on ESXi - 172.16.1.4
VM LAN behind pfsense - 192.168.1.1/24

LTS_Tom · May 6, 2021, 5:51pm

Routing NAS traffic via a firewall is less than ideal, but should work as long as pfsense is routing traffic.

696039d4m5s8 · May 6, 2021, 7:42pm

Definitely not ideal, but the only option I have.

I can ping the NAS from behind pfsense, but I can’t hit the website or access the SMB share. I can only access the share or webpage from the 172.16 network. I’m using TrueNAS, which does not have a a local firewall that could be preventing access (that I’m aware of).

gsrfan01 · May 6, 2021, 8:36pm

Worth checking the firewall logs to see what’s blocked, check for ports 445 (SMB) and 443 (HTTPS).

To confirm, it looks more / less like this?

696039d4m5s8 · May 6, 2021, 10:42pm

Yes, that’s basically the design. Where would I check the firewall rules? Nothing is being blocked outbound via pfsense.

gsrfan01 · May 6, 2021, 11:20pm

Check the documentation out here: System Monitoring — Viewing the Firewall Log | pfSense Documentation

Also worth running a traceroute from both ends to make sure routing works as expected and Truenas has a route to the lab VM network.

pjdouillard · May 10, 2021, 11:27pm

If your “WAN” interface of pfSense is blocking RCF1918 addresses, be sure to disable it to allow traffic coming back from your NAS to reach your vms. Even if you have rules that let your VMs go out freely, returning packets will probably get dropped because of that.
Are you NATing the traffic that goes out of your pfSense towards your NAS?
What is the gateway of your NAS? If you are using your physical switch as a L3 routing device to reach pfSense, you must add a route to 192.168.1.0/24 network via 172.16.1.4 in the L3 switch if pfSense isn’t NATing.
On TrueNAS, be sure you have bound its web page to 172.16.1.2
If you put a VM on the vswitch0 (aka same network as TrueNAS) and set a static IP on it (i.e 172.16.1.99/24), can you ping TrueNAS? Can you access the web page?

696039d4m5s8 · May 11, 2021, 12:51pm

Thanks for the reply, I got it working. It ended up being an issue where I just needed to create a firewall rule to send that destination out the default gateway rather than the “WAN” interface.