Secondary network behind LAN can not access internet
-
I understand your reference to having to set up a secondary NAT on the lan subnet. I only know I have never had to do this on any other piece of equipment or on the LAN adapter to 'allow' the additional subnet. Is it possible that other equipment have 'discovered' this route automatically and PFSense is not? Or that by virtue of defining the static route inbound that these other pieces of equipment can understand how to 'return' a request from store2?
It's not a second NAT. It's NAT at all.
without adding a rule to NAT your second subnet pfSense will never NAT traffic originating from anything else than the immediate LAN-subnet.
pfSense does by default nothing. (ok almost nothing)
You need to tell it what is allowed and what not.
This might be not the most user-friendly approach but it is surely a more secure approach.
I think it's good that it NAT's per default only the immediate LAN subnet and not anything else.
Imagine someone you dont know puts a router (wlan?) somewhere into your network without you knowing. He now can just use a different subnet over your company subnet.
If you NAT only subnets you "thrust" you can lower the risk of someone abusing your network.I also understand the PFSense requirement in which if a NAT rule changes the corresponding firewall rule must also change. I just have never seen any equipment (in 30 years) require management of two entries when dealing with 'port forwarding'
Doesn't it stand to reason that the PFSense gateway must be Natting to store2 if I can access services on that end from the gateway WAN?
When you have different rules for NAT and the Firewall:
You can have scheduled firewall rules. –> indirect scheduled NAT ;)I'm sorry but i dont understand what you mean with the second.
NAT from where? from the outside? and from which gateway WAN? -
I also understand the PFSense requirement in which if a NAT rule changes the corresponding firewall rule must also change. I just have never seen any equipment (in 30 years) require management of two entries when dealing with 'port forwarding'…. in the end... that's all we are talking about. Seems like a very cumbersome way to handle it..... but I can adapt....
Look at it this way: it's just way more granular when you can control each aspect of the ruleset.
Lot's of other routers only offer an 'allow all' rule in the background and do NAT only. You may then add some blocking rules but tha's all.
Easier to setup: Yes. Better to control: No.And look! I can get to all pieces of equipment from the outside in. For both store1 and store2. Doesn't it stand to reason that the PFSense gateway must be Natting to store2 if I can access services on that end from the gateway WAN?
Sure, all seems fine here.
The only thing to be done is getting traffic from store2 through LAN of pfSense (to the INet), right?
The IP header still contains the subnet 192.168.1.0/24 from store2 which pfSense (on 192.168.10.0/24) by default does not pass.
A rule on the LAN's rule tab should handle that.An alternate aproach might be to change the subnet of your pfSense's LAN if to something like 192.168.0.0/16 but IMHO that'll break other things like broadcasts.
If pfSense is your gateway router ONLY it may work - if it is a DHCP server for your local LAN it doesn't… -
Ok Gentleman,
Currently on site. Attempting to set up subnet on LAN one and subsequent NAT rule but not having success. Also pretty sure I am not doing it correctly here.
I set up a virtual IP for the network 192.168.1.0/24 on the LAN interface. Every time I go back to edit this rule it shows the IP address as a single address even tho I set it to a network with the 24 subnet (it may be this is what it defaults to every time the edit window is opened. The entry looks like this:
Virtual IP address Type Description
192.168.1.0/24 [Proxy ARP] NAT rule for North Store
I then went to firewall NAT outbound and entered the following:
ON - Automatic outbound NAT rule generation (IPSEC passthrough)
OFF - Manual Outbound NAT rule generation (Advanced Outbound NAT (AON))
Interface Source Source Port Destination Destination Port NAT Address NAT Port Static Port Description
LAN 192.168.1.0/24 * * * 192.168.1.0 *
NO Out Bound NAT rule for North StoreI still do not get beyond the LAN interface for any Store2 traffic.
Can you provide some corrective syntax for what I may be doing wrong?
-
um..
Unless you want to host something on the store2 network you dont need VIP's –> delete all VIP's.I think you missunderstood what Advanced Outbound NAT is about.
With AON you define how the router NAT's.
This is not the same as forwarding a port.you need to enable AON
--> disable automaticly created rules.OFF - Manual Outbound NAT rule generation (Advanced Outbound NAT (AON))
Interface Source Source Port Destination Destination Port NAT Address NAT Port Static Port Description
WAN 192.168.1.0/24 * * * * * NO
WAN 192.168.10.0/24 * * * * * NOThe Interface is the interface to which the traffic will be rewritten to.
You want that packets originating from within your network appear to the outside as if they originate from your WAN-interface. -
Ok… I understand.
Changed configuration to reflect what you had shown. Removed VIP's and changed to AON on and it shows both network routes as you had depicted. I still am having issues pinging beyond the LAN port. Are there any other entries I may be overlooking? ... i.e. NAT or Firewall Rules?
Thank you for your assistance on this.
-
So are you now able to reach the internet from your store2?
What exactly do you mean you have ussues pingin beyond the LAN port?
I need information like from where you are pinging what.
Could you write from what IP you are trying to ping the target IP? -
I can ping from store2 to the LAN interface of the PFSense router.
I can not ping from store2 to the WAN side of the PFSense router.
I can not ping from store2 to the internet (beyond the PFSense router).I can ping from the local network (Store1) to the WAN address of the PFSense router.
I can remote access any device at store2 from the internet (using remote desktop and PCAnywhere)
-
Allow me to confirm whether or not I am understanding this correctly… and thank you for your patience and indulging me....
As there is port forwarding on the PFSense box from the outside in... (firewall rules - apply to WAN interface) so too is there port forwarding from the inside of the box out (Nat Rules - apply to LAN interface). The two are not synonymous but rather the system allows for auto creation of a firewall rule as a convenience when you are setting Nat Rules for outbound traffic?
If I am correct here... would I also be correct then that I could set two primary NAT rules for both networks in the following fashion?
If Proto Ext. port range NAT IP Int. port range Description
WAN TCP any 192.168.10.0/24 any Allow all ports outbound for Store1
(ext.: xxx.xxx.xxx.xxx)WAN TCP any 192.168.1.0/24 any Allow all ports outbound for Store2
(ext.: xxx.xxx.xxx.xxx)Would this be accurate based on my assumptions and would it be required?
-
Could you provide all rules you have on your LAN-interface?
When you try to ping and it does not work: do you get any entries in the firewall log?
-
The pings are being logged from the correct Store2 IP address and shows the WAN address as the destination… the msg associated with the log entry is:
@124 Block drop in log quick all label "Default block all just to be sure."
The NAT outbound rules are:
Interface Source Source Port Destination Destination Port NAT Address NAT Port Static Port Description
[add new mapping]
WAN 192.168.1.0/24 * * * * *
NO
Out Bound NAT rule for North Store
[edit mapping]
[add a new nat based on this one]
WAN 192.168.10.0/24 * * * * *
NOI have many NAT rules for the WAN interface to accommodate internal services such as remote desktop and PCAnywhere access. There are no Internet services requiring external access from the internet at this time.
There are currently no explicit rules for the LAN adapter for either network other than these outbound references.
-
Hello!!!
I have a same problem respect a hdokes ( excuse me my English its not the better ;) )
The scheme is the following one.
–-------- x.x.x.x
| DSL |____________ INET
----------
|192.168.1.1
|
|192.168.1.100
----------
| pfsense |
----------
| 172.16.1.100
|
|
--------- VLAN 1
---------| Switch |-------------------- PC
| --------- 172.16.1.1 /24
|
Router
|
|
Switch
|
|
PC VLAN 2
172.16.0.1 /24VLAN 1 can access internet
VLAN 2 can not access internet
pfsenseVLAN 1 to VLAN 2 ping OK
Vlan 2 to Vlan 1 ping ok
Vlan 1 to pfsense (172.16.1.100) ping OK
Vlan 2 to pfsense (172.16.1.100) ping OK
Vlan 1 to DSL ping OK (Any Address)
Vlan 2 to DSL ping NO
Vlan 1 to HTTP access OK
Vlan 2 to HTTP acces NOThe NAT outbound rules are:
Interface Source Source Port Destination Destination Port NAT Address NAT Port Static Port Description
WAN 172.16.1.0/24 * * * * * NO
WAN 172.16.0.0/24 * * * * * NOThe problem its the can not access from VLAN 2
thank's for the answer.
-
-
Ok… back at it on site again.
The firewall rules for the LAN tab consist only of the following:
Proto Source Port Destination Port Gateway Schedule Description
- LAN net * * * * Default LAN -> any
Still trying to make it work... any assistance is much appreciated.
-
On your LAN interface you need to allow traffic from the remote subnet additional to the local one.
Have you done that?So additionally to letting pass http or/and HTTPs traffic for 192.168.10.0/24 you have to allow traffic for 192.168.1.0/24 as well on the LAN if.
so it has to look like this:
Proto Source Port Destination Port Gateway Schedule Description
* LAN net * * * * Default LAN -> any
* 192.168.1.0/24 * * * * store2_subnet -> any -
GruensFroeschli…. you are a tonic for my befuttled brain. That worked! :)
Still not sure that I fully understand it but let me digest it here a bit and I will follow up here with some closing comments.
Thanks again to everyone who assisted.... I really appreciate it.
