101 how to - route based policy no NAT
-
Did you uncheck the "block RFC1918 subnets" checkbox on the WAN config page?
-
those boxes are unchecked. i don't think they affect nat.
-
question: you said you tried disabling NAT in the advanced settings - the only setting I see is disabling firewalling, which says "also disables NAT", but then rules are not applied. is this correct? if so, have you looked at the outbound NAT rules, where a rule has the checkbox that says not to do NAT on the outbound packets? or am i misunderstanding?
-
Disabling the filter does what it says - disables filtering and NAT. You want:
http://doc.pfsense.org/index.php/How_can_I_completely_disable_NAT%3F -
i turned the filter back on so it puts the firewall back into firewall mode. this was a last ditch effort that i should not have tried as it clearly states it disables the firewall. i had already tried going to firewall - nat - outbound, setting to manual and deleting all of the auto-created rules. i saved it, and then re-booted the firewall to make sure everything was reset.
after the reboot, from the lan subnet 10.0.0.0 i was able to ping the wan gateway 10.0.6.1 but i was unable to ping the server in the wan subnet. my rules / polices from "lan to wan" as well as "wan to lan" are currently set to allow all source, port and destination traffic through so the rule should not be blocking anything.
i looked at the route table and the route for subnet 10.0.6.0 is set to the gateway "link#2"
any other thoughts would greatly be appreciated. thanks
-
Post output of 'netstat -rn'.
-
the other thing i noticed is in the rules, under "default gateway" it says use default or select gateway for a route based rule. so i am embarrased to ask this question, but what should my wan gateway be based on the information below (i assumed my wan gateway is 10.0.0.125):
vm pfsense:
lan subnet is 10.0.0.0
lan interface = 10.0.0.125
lan gateway = 10.0.0.1wan interface= 10.0.6.1
wan subnet 10.0.6.0physical juniper firewall:
lan subnet is 10.0.0.0
lan interface is 10.0.0.1
static route is 10.0.6.0 –> 10.0.0.125 gateway -
netstat -rn from windows client in 10.0.0.0 subnet
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.0.0.1 10.0.0.75 10
10.0.0.0 255.255.255.0 10.0.0.75 10.0.0.75 10
10.0.0.75 255.255.255.255 127.0.0.1 127.0.0.1 10
10.255.255.255 255.255.255.255 10.0.0.75 10.0.0.75 10
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
169.254.0.0 255.255.0.0 10.0.0.75 10.0.0.75 20
224.0.0.0 240.0.0.0 10.0.0.75 10.0.0.75 10
255.255.255.255 255.255.255.255 10.0.0.75 10.0.0.75 1
Default Gateway: 10.0.0.1 -
no, i wanted 'netstat -rn' from the pfsense, not the LAN client.
-
Duh, I think I know what the problem is. If you are not NAT'ing, the traffic hitting your webserver will be coming from the 10.0.0.0/24 subnet, and unless you have left out this data point, the web server will not know how to reach that address, since its IP is in the 10.0.6.0/24 subnet. The simplest fix is to have the router for the 10.0.6.0/24 subnet have a static route for 10.0.0.0/24 pointing at 10.0.6.1, then, the first time the web server (or whatever) gets a packet from a 10.0.0.0/24 host, it will send it to the 10.0.6.0/24 gateway, which will forward it to the pfsense WAN IP, and send an ICMP redirect to the server so it knows how to get there from then on.
-
thanks everyone for your help. turning the filter back on so it puts the firewall back into firewall mode and setting the outbound NAT rules, where a rule has the checkbox that says not to do NAT on the outbound packets fixed it.
i was still having issues, but upon further inspection of linuix log files i found the clients ip address is being passed through the route based firewall and pam is closing all of the sessions. so now this may have been the easy part, pam in linuis does not look so easy.
no addtional route was needed. duh - the firewall is the router between interfaces.
thanks again!
