• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Routing not working without outbound NAT

NAT
5
14
1.2k
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • B
    Baby_newbie
    last edited by Jul 3, 2023, 10:51 PM

    Hello, I have a 2 interfaces pfsense box, WAN and LAN.

    I'm trying to send internet traffic to the Internet. it does not work. I have added some firewall rules to allow all traffic.

    If I enable the Outbound NAT 'Manual' it starts to work fine.

    Any ideas or help?

    B B 2 Replies Last reply Jul 3, 2023, 10:53 PM Reply Quote 0
    • B
      Baby_newbie @Baby_newbie
      last edited by Jul 3, 2023, 10:53 PM

      to add to the above, if I Disable Outbound rule generation all traffic from LAN to internet fails.

      J 1 Reply Last reply Jul 4, 2023, 6:17 AM Reply Quote 0
      • J
        JonathanLee @Baby_newbie
        last edited by JonathanLee Jul 4, 2023, 6:17 AM Jul 4, 2023, 6:17 AM

        @Baby_newbie you need to do network address translation to move traffic from private IP addresses to the public IP address or the wan side. You need to have NAT so LAN traffic can be translated to WAN traffic on the old interwebs.

        Make sure to upvote

        B 1 Reply Last reply Jul 4, 2023, 9:20 AM Reply Quote 0
        • B
          Baby_newbie @JonathanLee
          last edited by Jul 4, 2023, 9:20 AM

          @JonathanLee Thanks for the reply.
          Is this even if you are using rfc1918/private addressing on both sides of the interface?
          The WAN interface I have gets an ip from the dhcp/broadband server = 192.168.0.201.
          LAN is 192.168.2.1/24

          V J 2 Replies Last reply Jul 4, 2023, 11:17 AM Reply Quote 0
          • B
            Bob.Dig LAYER 8 @Baby_newbie
            last edited by Jul 4, 2023, 9:35 AM

            @Baby_newbie said in Routing not working without outbound NAT:

            I'm trying to send internet traffic to the Internet. it does not work.
            If I enable the Outbound NAT 'Manual' it starts to work fine.

            Highly unlikely.

            My advice, don't use a firewall at your knowledge state.

            1 Reply Last reply Reply Quote 0
            • V
              viragomann @Baby_newbie
              last edited by Jul 4, 2023, 11:17 AM

              @Baby_newbie said in Routing not working without outbound NAT:

              Is this even if you are using rfc1918/private addressing on both sides of the interface?
              The WAN interface I have gets an ip from the dhcp/broadband server = 192.168.0.201.
              LAN is 192.168.2.1/24

              Yes.
              You router will only know the WAN network of pfSense, but not the LAN. So he might nat only this subnet.

              With outbound NAT enabled on pfSense, traffic from the LAN behind it is translated into the WAN address. The outer router then translates it a second time into its internet IP.

              If you want to nat the traffic only once, you would have to configure the router to do the translation for the LAN subnet and also add a static route for the LAN and point it to pfSense WAN IP.

              B 1 Reply Last reply Jul 4, 2023, 3:02 PM Reply Quote 0
              • J
                JonathanLee @Baby_newbie
                last edited by Jul 4, 2023, 2:20 PM

                @Baby_newbie pfSense will auto add NAT config if you have to set to auto or hybrid. I would just leave it be. If you are new to this no problem and got this for cyber security I would set up IPS/IDS with snort and leave the default config with the PfSense wizard. That will get you running the fastest.

                Make sure to upvote

                V 1 Reply Last reply Jul 4, 2023, 2:30 PM Reply Quote 0
                • V
                  viragomann @JonathanLee
                  last edited by Jul 4, 2023, 2:30 PM

                  @JonathanLee said in Routing not working without outbound NAT:

                  pfSense will auto add NAT config if you have to set to auto or hybrid.

                  Yeah, but only if you state a gateway in the (WAN) interface settings. If you miss that no NAT rules are added.

                  M 1 Reply Last reply Jul 4, 2023, 2:34 PM Reply Quote 0
                  • M
                    mcury @viragomann
                    last edited by Jul 4, 2023, 2:34 PM

                    @viragomann I think what he is trying to accomplish is to disable NAT in pfsense to avoid double nat, and let the ISP modem do the natting to the internet.

                    If that is what he wants, he needs to add a static route in the ISP modem saying that his internal network is behing pfsense WAN's IP (next hop to internal network).

                    dead on arrival, nowhere to be found.

                    1 Reply Last reply Reply Quote 1
                    • B
                      Baby_newbie @viragomann
                      last edited by Baby_newbie Jul 4, 2023, 3:05 PM Jul 4, 2023, 3:02 PM

                      @viragomann With outbound NAT disabled, this is also what I was expecting the source ip not to change and having to add a static route on the BB router. Until I see the packet capture and attached capture from physical interfaces

                      Src of icmp = 192.168.2.225
                      pfsense
                      WAN today is 192.168.0.202
                      LAN = 192.168.2.1

                      No NAT
                      LAN
                      14:41:55.318906 IP 192.168.2.10.1093 > 192.168.2.1.80: tcp 0
                      14:41:56.050895 ARP, Request who-has 192.168.2.117 tell 192.168.2.225, length 46
                      14:41:56.269203 IP 192.168.2.225 > 8.8.8.8: ICMP echo request, id 57865, seq 15, length 64
                      14:41:57.271272 IP 192.168.2.225 > 8.8.8.8: ICMP echo request, id 57865, seq 16, length 64
                      14:41:58.273991 IP 192.168.2.225 > 8.8.8.8: ICMP echo request, id 57865, seq 17, length 64

                      WAN
                      14:42:30.777093 IP 192.168.0.202 > 192.168.0.1: ICMP echo request, id 15092, seq 226, length 8
                      14:42:30.780480 IP 192.168.0.1 > 192.168.0.202: ICMP echo reply, id 15092, seq 226, length 8
                      14:42:31.133872 a0:bd:cd:aa:9a:48 > ff:ff:ff:ff:ff:ff, Unknown Ethertype (0x7374), length 66:
                      14:42:31.236228 IP 192.168.0.161.60759 > 192.168.0.255.15600: UDP, length 35
                      14:42:31.301052 IP 192.168.0.202 > 192.168.0.1: ICMP echo request, id 15092, seq 227, length 8
                      14:42:31.304596 IP 192.168.0.1 > 192.168.0.202: ICMP echo reply, id 15092, seq 227, length 8
                      14:42:31.338042 IP 192.168.2.225 > 8.8.8.8: ICMP echo request, id 57865, seq 50, length 64
                      14:42:31.831135 IP 192.168.0.202 > 192.168.0.1: ICMP echo request, id 15092, seq 228, length 8
                      14:42:31.835404 IP 192.168.0.1 > 192.168.0.202: ICMP echo reply, id 15092, seq 228, length 8
                      14:42:32.055272 a0:bd:cd:aa:9a:49 > ff:ff:ff:ff:ff:ff, Unknown Ethertype (0x7380), length 60:
                      14:42:32.341517 IP 192.168.2.225 > 8.8.8.8: ICMP echo request, id 57865, seq 51, length 64
                      14:42:32.387908 IP 192.168.0.202 > 192.168.0.1: ICMP echo request, id 15092, seq 229, length 8
                      14:42:32.388147 IP 192.168.0.1 > 192.168.0.202: ICMP echo reply, id 15092, seq 229, length 8
                      14:42:32.909470 IP 192.168.0.202 > 192.168.0.1: ICMP echo request, id 15092, seq 230, length 8

                      With NAT
                      LAN
                      14:45:20.180546 IP 192.168.2.225 > 8.8.8.8: ICMP echo request, id 64777, seq 19, length 64
                      14:45:20.200514 IP 8.8.8.8 > 192.168.2.225: ICMP echo reply, id 64777, seq 19, length 64
                      14:45:21.183339 IP 192.168.2.225 > 8.8.8.8: ICMP echo request, id 64777, seq 20, length 64
                      14:45:21.202300 IP 8.8.8.8 > 192.168.2.225: ICMP echo reply, id 64777, seq 20, length 64

                      WAN
                      14:47:12.454980 IP 192.168.0.202 > 8.8.8.8: ICMP echo request, id 8708, seq 131, length 64
                      14:47:12.471696 IP 8.8.8.8 > 192.168.0.202: ICMP echo reply, id 8708, seq 131, length 64
                      14:47:12.513886 IP 192.168.0.202 > 192.168.0.1: ICMP echo request, id 15092, seq 753, length 8
                      14:47:12.517257 IP 192.168.0.1 > 192.168.0.202: ICMP echo reply, id 15092, seq 753, length 8
                      14:47:13.064666 IP 192.168.0.202 > 192.168.0.1: ICMP echo request, id 15092, seq 754, length 8
                      14:47:13.068606 IP 192.168.0.1 > 192.168.0.202: ICMP echo reply, id 15092, seq 754, length 8
                      14:47:13.354923 IP 192.168.0.161.38660 > 192.168.0.255.15600: UDP, length 35
                      14:47:13.457792 IP 192.168.0.202 > 8.8.8.8: ICMP echo request, id 8708, seq 132, length 64
                      14:47:13.476287 IP 8.8.8.8 > 192.168.0.202: ICMP echo reply, id 8708, seq 132, length 64
                      14:47:13.611799 IP 192.168.0.202 > 192.168.0.1: ICMP echo request, id 15092, seq 755, length 8
                      14:47:13.615125 IP 192.168.0.1 > 192.168.0.202: ICMP echo reply, id 15092, seq 755, length 8

                      @Baby_newbie said in Routing not working without outbound NAT:

                      login-to-view

                      M 1 Reply Last reply Jul 4, 2023, 3:07 PM Reply Quote 0
                      • M
                        mcury @Baby_newbie
                        last edited by mcury Jul 4, 2023, 3:12 PM Jul 4, 2023, 3:07 PM

                        @Baby_newbie You are not getting an answer with NAT disabled, most probably the packet is being dropped in your device ahead of pfsense, because it doesn't have a route to your internal network (behind pfsense).

                        A router only has routes to directly connected networks, and a default route to Internet.

                        So, you ping from LAN, your pfsense sends the packet without NAT, your ISP modem sends it to the Internet and doesn't know how to forward it back to your internal LAN, and drop it.

                        Add a route as mentioned earlier and it will work.
                        But note that ISP modems usually don't give you that configuration option.

                        Edit:
                        Another option, which I prefer, is to configure your ISP modem as bridge.

                        dead on arrival, nowhere to be found.

                        B 1 Reply Last reply Jul 4, 2023, 6:32 PM Reply Quote 1
                        • B
                          Baby_newbie @mcury
                          last edited by Jul 4, 2023, 6:32 PM

                          @mcury Thank you for your response.

                          I think I see what was happening. I was being confused by two sets of icmp flows. One generated by me and a second that is generated by the pfsense box itself.

                          Any ideas why the pfsense continuously sends icmp on the WAN to its gateway?

                          J 1 Reply Last reply Jul 4, 2023, 6:35 PM Reply Quote 0
                          • J
                            JonathanLee @Baby_newbie
                            last edited by Jul 4, 2023, 6:35 PM

                            @Baby_newbie it sends them to make sure the gateway is still working.

                            Make sure to upvote

                            B 1 Reply Last reply Jul 4, 2023, 6:38 PM Reply Quote 1
                            • B
                              Baby_newbie @JonathanLee
                              last edited by Jul 4, 2023, 6:38 PM

                              @JonathanLee Thank you.

                              1 Reply Last reply Reply Quote 0
                              2 out of 14
                              • First post
                                2/14
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.