Lab Firewall Routing Issue

I have two lab servers, both in the range. One is being used as a NAS while the other is being used as a hypervisor. The ESXi server contains the pfsense firewall with VM’s in the range. The VM’s are unable to access the NAS. What settings do I need to modify in pfsense so the VM’s on can hit the NAS at

ESXi -
pfsense lab firewall WAN on ESXi -
VM LAN behind pfsense -

Routing NAS traffic via a firewall is less than ideal, but should work as long as pfsense is routing traffic.

Definitely not ideal, but the only option I have.

I can ping the NAS from behind pfsense, but I can’t hit the website or access the SMB share. I can only access the share or webpage from the 172.16 network. I’m using TrueNAS, which does not have a a local firewall that could be preventing access (that I’m aware of).

Worth checking the firewall logs to see what’s blocked, check for ports 445 (SMB) and 443 (HTTPS).

To confirm, it looks more / less like this?


Yes, that’s basically the design. Where would I check the firewall rules? Nothing is being blocked outbound via pfsense.

Check the documentation out here: System Monitoring — Viewing the Firewall Log | pfSense Documentation

Also worth running a traceroute from both ends to make sure routing works as expected and Truenas has a route to the lab VM network.

  1. If your “WAN” interface of pfSense is blocking RCF1918 addresses, be sure to disable it to allow traffic coming back from your NAS to reach your vms. Even if you have rules that let your VMs go out freely, returning packets will probably get dropped because of that.

  2. Are you NATing the traffic that goes out of your pfSense towards your NAS?

  3. What is the gateway of your NAS? If you are using your physical switch as a L3 routing device to reach pfSense, you must add a route to network via in the L3 switch if pfSense isn’t NATing.

  4. On TrueNAS, be sure you have bound its web page to

  5. If you put a VM on the vswitch0 (aka same network as TrueNAS) and set a static IP on it (i.e, can you ping TrueNAS? Can you access the web page?

Thanks for the reply, I got it working. It ended up being an issue where I just needed to create a firewall rule to send that destination out the default gateway rather than the “WAN” interface.