Pfsense behind pfsense - no internet access

Was hoping to get some help. Not sure if this is DNS or routing related.

I run pfsense as the main firewall for my network. I also do a lot of helping others get started on managing their networks, so I’d like to be able to set up someone else’s pfsense device on my own network prior to bringing it to their location, which creates a nested NAT. However, I’m running into the problem where the nested pfsense devices aren’t able to reach the internet, limiting the amount of config I can do locally.

Primary network (pfsense 1)
Pfsense 2 is connected to a switch on pfsense 1 LAN, and receives as its WAN IP
Pfsense 2 LAN is configured as
I have disabled bogon and RFC 1918 blocking on pfsense 2 WAN, and have added as an upstream DNS server on pfsense 2, and have added a LAN rule allowing traffic from to network 1
I can ping devices on network1 from pfsense 2, but cannot ping any WAN websites or IPs

What am I missing? I would love to be able to get this working, so I can also set up additional virtual pfsense devices internally to experiment.

Thanks in advance!

Does Pfsense 1 have additional DNS entries, I have and

Pfsense 2 does not need a rule, all it needs is upstream DNS

any packets from P2 go to P1 and then out.

P1 ... wan dhcp (secret)      lan static    DNS
P2 ... wan dhcp lan static   DNS

Yes, Pfsense 1 defaults to localhost for DNS resolver, and then has alternate DNS set up as well.
I can ping computers on LAN1 from Pfsense2, but cannot ping google or anything else.

To test internet connectivity and rule out DNS problems, try pinging internet servers by their IP address directly, e.g.

On pfSense 1, you need a rule on the network’s interface to pass traffic from to the internet. Test with allow all first and lock it down later when you know it works.

On pfSense 2, you need a rule on the network’s interface to allow access from this network to the internet (or start with allow all and lock down later). You don’t need a rule to allow traffic to there. As you said, you’re double NATing, therefore traffic is masqueraded behind pfSense 2’s WAN IP (which is

If this doesn’t work, please post screenshots of the rules so we can verify them.

I have just recently done this too, but I found that I didn’t need to create or change any firewall rules.

I connected the second pfSense box to my LAN with the WAN configured as DHCP and then just plugged my laptop into it to configure it.

First mistake I made was to forget to disable the Bogon and RFC 1918 blocking but that aside I ran the wizard and didn’t have any issues until testing the VLAN’s, when I also couldn’t access the internet, but that was down to me not having flushed the DNS on my laptop.


So this was all my fault, I did not configure the DNS correctly. Once I allowed the nested pfsense instances to reach my DNS server on LAN and configured it appropriately, everything started working.