How to Route (not NAT) from LAN to WAN?

pcatiprodotnet

I need the actual IP address & traffic of our Lan computers to be routed to Wan.
It appears that pfSense is causing all our Lan traffic appear to come from a Wan IP address.
I didn't want to "Disable the firewalls filter altogether" because the filtering security is nice.
Thank you,
-Pete

hoba

Go to firewall>nat, advanced outbound. Enable advanced outbound and delete all rules that are created at the bottom of the page. save and apply. now you have shut down nat completely. If you need special IPs or subnets to be natted add rules at the bottom.

pcatiprodotnet

[update]
Nevermind the following post (our net admin just explained I need to code routes into every router to direct traffic to the other routers because pfSense isn't doing RIP; is there a way to turn RIP on in pfSense?):
[/update]

I enabled NAT Advanced Outbound and deleted all rules.  This seems to have have stopped some NATing because I can no longer ping the final gateway (3 hops).  I set up routing, but I can only ping 2 hops over.  I tried "Disable the firewalls filter altogether" and now I can only ping the next router (1 hop); when I display the "routes" in pfSense, only IPs from the very next interface(s) are listed:

pfSense "router"#1:
IPv4
Destination Gateway Flags Refs Use Mtu Netif Expire
default 10.0.0.1 UGS 0 186 1500 sis0 
10/9 link#1 UC 0 1 1500 sis0 
10.0.0.1 00:08:54:28:23:92 UHLW 2 670 1500 sis0 1167
10.128/9 link#2 UC 0 1 1500 ath0 
10.128.1.3 00:02:6f:3e:1d:63 UHLW 1 787 1500 ath0 1178
10.129.1.254 00:02:6f:3d:64:1d UHLW 1 2 1500 ath0 1198
127.0.0.1 127.0.0.1 UH 0 0 16384 lo0

pfSense "router"#2:
IPv4
Destination Gateway Flags Refs Use Mtu Netif Expire
default 10.128.1.1 UGS 0 179 1500 ath0
10.128/16 link#1 UC 0 0 1500 ath0
10.128.1.1 00:0b:6b:37:a4:2d UHLW 2 338 1500 ath0 1193
10.130.3/24 link#2 UC 0 0 1500 sis0
10.130.3.254 00:11:096c:59 UHLW 1 1671 1500 sis0 1193
127.0.0.1 127.0.0.1 UH 0 0 16384 lo0

(10.0.0.1 is the internet gateway)
(10.129.1.254 and 10.130.3.254 are client PCs)

hoba

RIP isn't supported in pfSense 1.0. Keep watching for that in version 1.1  ;)
I have a similiar setup though it is not involving wireless cards:

internet–--NATRouter---(main office lan segment, servers, workstations, voippbx)---wan/pfsense/lan---(2mbit/2mbit direct link)---wan/pfsense/lan---(remote office, workstations, voipphones)

Works like a charm with traffic shaping on the 2 mbit link. You need routes at all 3 routers in use to make this work. I didn't disable firewall alltogether as this way trafficshaping also would be shut down. I added pass any any any rules at the 2 pfSense in between and routes at all 3 routers.
Notice that the WAN interfaces in this configuration always point into the direction of the internet gateway. This way I only have to setup some routes for the internal subnets and internet access is habdled by the default gateway (next hop).

pcatiprodotnet

I cannot enter a route on the gateway back to my private IPs.

So next, I will try setting up NAT on pfSense#1, however I want every unique IP on
the private side of pfSense#1 to be given a unique IP on the gateway side of pfSense#1.

Thus far, I tried setting up a Virtual IP range and Advanced Outbound NAT with Translation
set to the Virtual IP range.  However, all the PCs on the private side are still appearing to come
from the first IP in the Virtual IP range.  How do I force it to assign a unique IP on the
Gateway side to each PC on the private side of the NAT?

Thank you,
-Pete

hoba

Would it be an option for all your clients to use pfSense#1 as default gateway? This one would have the routes to the pfSense#2 subnet and also knows the way out to the internet because the "out of control" router is the standard gateway.

pcatiprodotnet

Since I must use NAT now, all the wireless clients will have pfSense#1 set as Gateway and DNS.
The reason I want all NAT clients to also have a unique IP on the "real" Gateway side is because
the "real" gateway has a captive portal that distinguishes unique clients by IP.  So, if I use normal
NAT when one wireless client logs on our "real" gateway, it essentially would allow every wireless
client access because the all appear to come from the same IP, which I want to avoid.
pfSense appears to have the ability to assign unique IPs on the Wan interface to each NAT client
on the Lan interface; Looking through pfSense, it seems any one of these might do this:
Advanced Outbound/Translation, Virtual IPs, 1:1 NAT.  However, my attempts have failed thus far.
Thanks, -Pete

pcatiprodotnet

Is pfSense capable of assigning a new unique Translation IP address to each NAT client?  If so, how do I set this up?
Thanks, -Pete

hoba

You have to add multiple VIPs at wan and then use 1:1 NAT to translate the IP-Ranges. However this is extremely "dirty" but if that's your only way to do it…  :-
I guess you need "ProxyARP" or "CARP" as type "other" doesn't involve macreplies.