Local Dual Firewall Rules

I’m setting up a dual pfSense firewall at home with a Perimeter (PFW) and Backend (BFW) configuration. This is my planned configuration.

I’m currently testing and setting things up so technical that the design is backward. But the concepts and requirements still remain the same.

What I need is to access the PFW from the BFW. So that I can access the Admin for the PFW and also be able to access the DMZ. Right now, I’m just trying to access the PFW admin portal. I can’t seem to access it. No bogon or private networks are blocked. And I even tried a port forward from the WAN to the LAN address.

What’s weird is that in pfTop I see it go in and to the destination IP but with a closed: syn_sent. Then I see it go out to my public IP to the private IP destination. So, I’m not quite sure what I’m doing wrong.

Basically, I need the IP to be able to access the FW at I also need to access and allow port monitoring back to

Just to make sure I am understanding what is going on here:

Do you want to be able to access it from the outside in? Or do you want to access it from the inside out? I had a setup when I was doing some experimenting where I would have untangle as a firewall and the UDM Pro setup and I was able to access the untangle firewall without any special rules/configurations other than assigning my UDM Pro a private internal IP address. If you can give me a little more info, I might be able to give you more meaningful advice and help.

What do you mean, access it from outside in or inside out?

BFW needs to access PFW or if you want to look at it a different way internal clients behind Firewall B need to access the internal admin portal on Firewall A and other internal networks that may reside on Firewall A. Keep in mind that all of this is with pfSense.

Is the interface with the address setup as a mgmt interface?

Yup, it’s set up similar to Netgate’s documentation on Strict Managment.

I resolved my issue. It’s static routes configuration, not port forwarding. But the WAN interface does need to be configured for other traffic.