Was hoping to get some help. Not sure if this is DNS or routing related.
I run pfsense as the main firewall for my network. I also do a lot of helping others get started on managing their networks, so I’d like to be able to set up someone else’s pfsense device on my own network prior to bringing it to their location, which creates a nested NAT. However, I’m running into the problem where the nested pfsense devices aren’t able to reach the internet, limiting the amount of config I can do locally.
Primary network 192.168.1.1/24 (pfsense 1)
Pfsense 2 is connected to a switch on pfsense 1 LAN, and receives 192.168.1.100 as its WAN IP
Pfsense 2 LAN is configured as 192.168.10.1/24
I have disabled bogon and RFC 1918 blocking on pfsense 2 WAN, and have added 192.168.1.1 as an upstream DNS server on pfsense 2, and have added a LAN rule allowing traffic from 192.168.10.1/24 to network 1
I can ping devices on network1 from pfsense 2, but cannot ping any WAN websites or IPs
What am I missing? I would love to be able to get this working, so I can also set up additional virtual pfsense devices internally to experiment.
Thanks in advance!
Does Pfsense 1 have additional DNS entries, I have 127.0.0.1 and 22.214.171.124
Pfsense 2 does not need a rule, all it needs is upstream DNS 192.168.1.1
any packets from P2 go to P1 and then out.
P1 ... wan dhcp (secret) lan static 192.168.1.1 DNS 127.0.0.1 126.96.36.199
P2 ... wan dhcp 192.168.1.100 lan static 192.168.10.1 DNS 192.168.1.1
Yes, Pfsense 1 defaults to localhost for DNS resolver, and then has alternate DNS set up as well.
I can ping computers on LAN1 from Pfsense2, but cannot ping google or anything else.
To test internet connectivity and rule out DNS problems, try pinging internet servers by their IP address directly, e.g.
On pfSense 1, you need a rule on the
192.168.1.0/24 network’s interface to pass traffic from
192.168.1.100 to the internet. Test with allow all first and lock it down later when you know it works.
On pfSense 2, you need a rule on the
192.168.10.0/24 network’s interface to allow access from this network to the internet (or start with allow all and lock down later). You don’t need a rule to allow traffic to
192.168.1.0/24 there. As you said, you’re double NATing, therefore traffic is masqueraded behind pfSense 2’s WAN IP (which is
If this doesn’t work, please post screenshots of the rules so we can verify them.
I have just recently done this too, but I found that I didn’t need to create or change any firewall rules.
I connected the second pfSense box to my LAN with the WAN configured as DHCP and then just plugged my laptop into it to configure it.
First mistake I made was to forget to disable the Bogon and RFC 1918 blocking but that aside I ran the wizard and didn’t have any issues until testing the VLAN’s, when I also couldn’t access the internet, but that was down to me not having flushed the DNS on my laptop.
So this was all my fault, I did not configure the DNS correctly. Once I allowed the nested pfsense instances to reach my DNS server on LAN and configured it appropriately, everything started working.