Routed Subnet on LAN
-
Yesterday I migrated from m0n0wall to pfSense and am having an issue I just cant figure out. Here is my general layout.
Public IP +------------------+ | | | pfSense | | | +------------------+ 192.168.2.1 | | | 192.168.2.2 +---------------+ | | | Router | | | +---------------+ 192.168.100.254 | | | | 192.168.100.1 +--------------------+ | Core Server | +--------------------+From my internal router I am able to ping out to any Internet address. From my core server I can only get as far as the WAN address on the pfSense device. I have a static route on the LAN port routing to my core network. I have a rule allowing any traffic from the core subnet out. From the internet I can reach services on the core server. It seems that outbound NAT from the core network is not working right. I know It must be something simple but I can see what I have misconfigured. Any help would be appreciated.
-
Does your router between the server and the pfsense do nat? If not you need a static route at the pfsense using the routers IP 192.168.2.2 as gateway for the subnet 192.168.100.0/24 (I guess it's a /24 subnet?).
-
No the internal router does not do NAT. I already have the route statement as you suggest. Any other things I should check?
-
Does the pfsense do nat or are you routing? maybe the router in front of your pfsense doesn't have a route back to your 192.168.100.0/24 subnet?
-
yes, pfSense is doing NAT.
-
Well I am about to throw in the towel. Just to make sure nothing on the back-end changed I burned a m0n0wall boot CD/Floppy and added the exact same settings and it works. I have had people better qualified than I take a look at it as well but still nothing. Does anyone else have a routed subnet on the LAN side that is working?
-
Ok, running TCPDUMP on the WAN interface shows that traffic from the LAN subnet is being NATed correctly but traffic from the Core Network subnet is NOT being NATed but using the actual address. Is this a bug or do I need to do something special to make sure this subnet is NATed
-
Try enabling advanced outbound nat (webgui, Firewall>Nat, outbound tab).
It will create a rule for the LAN interface. Copy that rule and modify the Source to be the core network. does this then work for you? -
Try enabling advanced outbound nat (webgui, Firewall>Nat, outbound tab).
It will create a rule for the LAN interface. Copy that rule and modify the Source to be the core network. does this then work for you?YES!! That did it. Is this normally needed or is there something funky with my network that requires this?
-
If you say it works with m0n0 it looks like we are doing something different here with the "behind the scenes" nat rules. Maybe m0n0 creates a source any rule at internal interfaces and we only nat the interfaces source IP range. we'll have to check this and discuss if we want it the other way.
-
Fair enough. Thanks for all of your help Hoba.