NAT off firewall ON?

josey

Is it possible to turn nat off and to have functional firewall?

I have PFS machine that works as router only, connecting 5 networks, but i would like to block two of them that users do not see the rest of the 3 networks.

Thanks

danswartz

Yes, there have been a few threads about that.  Search the forum for this.

josey

i tried before posting but no luck :(

danswartz

try this:

http://doc.pfsense.org/index.php/How_can_I_completely_disable_NAT%3F

josey

hm, tried to play with this, no results  :(
if there is something to watch ?

this is how i have turno off nat
http://img193.imageshack.us/i/nat1j.jpg/

but that is also how firewall is turned off

and with this i could not make it run
http://img109.imageshack.us/i/nat2.jpg/

advice, please
thanks

GruensFroeschli

First picture: With this you disable the whole NAT and the firewall.
You dont want this.

Second picture: You deleted the rule, but didn't switch to manual rule generation.
Activate manual rule generation and it will work.

josey

did done that before, this is rule that i apply to…
http://img121.imageshack.us/img121/5503/natoff.jpg
http://img199.imageshack.us/img199/5697/natoff1.jpg

this didnt work :(  (turn back to first option)

GruensFroeschli

Don't set "no NAT".
Delete the rule.

josey

nope,
it seems that nat is off, but port forward does not work (from other - first pfs machine through this one)

with rule i set up, same thing

oh yes, and from first PFS machine i cant ping any interface on second pfs machine, when i turn back on option to turn off nat and firewall everything is fine.
but i need firewall on this second machine, do this is not solution.
I think i will have to sacrifice one interface and wan leave empty and use OPT instead?

GruensFroeschli

If you disable NAT, then you can no longer use portforwards. A simple firewall rule is all that is needed.
That's the whole idea behind disabling NAT
–> You dont need to use portforwards, because everything is routed.

josey

no, things works like this first PFS machine is conected to ISP router, and it is firewall/proxy/vpn etc…
(only 2 nics)

second one (6 nics) is connected to first one, and second one connects multiply networks into one, BUT, i dont want users to see each other so i need firewall that works.

And port forward, i need it to forward ports from internet to internal radius etc... whic is connected to one of 6 interfaces on second PFS.

i didnt try to use opt interface on second pfs as WAN interface, bit i think it would work. ?