cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2655
Views
0
Helpful
2
Replies

Cannot browse the internet from behind a pfsense firewall behind a cisco router/firewall

Adrian Bolzan
Level 1
Level 1

Hello,

 

device = cisco 2811, as firewall to interner.

 

We recently set up a pfSense firewall behind our cisco router. We had some trouble routing traffic from behind the pfsense through the cisco router out to the internet.

 

Internet -- cisco 2811 -- pfsense --internal pfsense private IP

 

Public IP of cisco, FastEthernet0/1 = 203.40.240.2

private IP of cisco, FastEthernet0/0 = 192.168.1.1/255.255.254.0

 

External interface of pfSense firewall = 192.168.1.20/255.255.254.0

Private IP of pfSense LAN = 172.16.1.1/255.255.240.0

Private LAN behind 172.16.0.0/255.255.240.0

 

 

The pfSense firewall is performing NAT on for outgoing data from its LAN (172.16.0.0/255.255.240.0).

The gateway for the pfsense firewall is the cisco FastEThernet0/0 interface.

 

We are unable to browse to the internet from the pfsense LAN.

 

HOWEVER, if we change the route so that the gateway for the pfsense firewall is a Vyatta router, which then sends traffic via a Billion modem/router and  a simple (home-style) ADSL2 connection, we can browse happily. There is no particular routing set up on the Billion  nor the vyatta router.

 

Just wondering if there is any particular considerations in a cisco world I need when we have a firewall behind another firewall.

My other option may be to treat the pfsense as a router and not a firewall but would like to work on the problem as it stands now.

 

Regards,

Adrian

2 Replies 2

William Benson
Level 1
Level 1

Can you ping the local ethernet interface on your 2811 from behind the firewall?

 

Can you ping the WAN interface on your 2811 from behind the firewall?

Thanks, William Benson.

 

we CAN ping the local ethernet interface on the 2811

we CAN ping the WAN interface on the 2811

 

we CANNOT ping the next hop after the 2811

 

we CAN successfulyl port forward from the internet to the pfsense private network, and get a response. it is only traffic initiated from the pfsense's private network to the internet that is failing.

 

we have got it working by doing other routing, bypassing the 2811 for traffic going out, and using another internet connection we have here.