Using Public IPs on LAN
-
Oh, sorry, I misread. So, you have a /29 for WAN, of which 210 is the pfsense? Note that your subnet is not 94.0.128.1/24, it is 94.0.128.0/24, with the pfsense LAN interface having address 1. That said, are you sure you have default routes on the various LAN hosts pointing at the 94.0.128.1 IP? What happens if you run a packet trace on a LAN host when you try to connect?
-
Let me tell you every thing about this topology.
1- Cisco Router
Public IP 94.0.88.214
–------------------------------
2- Pfsense Firewall
WAN port 94.0.88.210
WAN GW 94.0.88.214
LAN port 94.0.128.13- Server 1
IP : 94.0.128.5
GW: 94.0.128.14- Server 2
IP : 94.0.128.6
GW: 94.0.128.1....
And Pfsense LAN and WAN rules are all * * * * traffic pass.
Advanced Settings .Disable NAT Reflection Disables the automatic creation of NAT redirect rules for access to your public IP addresses from within your internal networks. Note: Reflection only works on port forward type items and does not work for large ranges > 500 ports. <-- this settings box is checked.and Advanced outbound NAT AON selected. and all NAT rules removed. Im pinging server 2 from wan.. but can't reach... I can reach Pfsense wan port IP 94.0.88.210 from WAN but i can't reach LAN port and Ip of pfsense...
-
You said earlier 'it works', which I take to mean hosts on the LAN can reach outside sites? If so, when you try to connect to an inside site, does anything show up in the pfsense filter log? blocked packets that is?
-
The hosts on Lan can't reach internet after disabled nat. If nat is enable hosts can reach outside. I didn't check filter logs. I will check it for some rule problem but I added a rule on LAN tab of pfsense panel. Source WAN protocol port etc any. target LAN pass, source lan protocol port etc any target LAN pass. And Added to WAN tab too Source wan protocol port etc any to LAN.
-
Did you clear the state table after making these changes? Reboot is probably a good idea too. It would be helpful to post the actual rules rather than describe them.
-
it is really interesting with this configuration. I can't ping 95.0.128.5 from pfsense shell. But i can ping pfsense lan interface 95.0.128.1 from 95.0.128.5's shell. This may be my problem. But I don't know why.. I think I checked all rules. couldn't see anything …
-
Does the cisco router know that 94.0.128.0/24 network should be routed to the WAN address of pfSense (94.0.88.210) ?
-
I assume so, or the traceroute would not have stopped at the WAN port. also, as i said, you can post the actual rules? not what you think you are doing…
-
I'm sure I have no problem at router side of the system. Because It works without pfsense. Also pfsense work as well when NAT is ENABLE!. I have two rules on Each interface. First WAN interface rule: Interface : WAN, Source : Any, Dest : Any, Proto : Any, Action : PASS.
Second WAN interface rule : Interface WAN, Source WAN Address, Dest : LAN addresss, Proto : any , Action : PASS.First LAN interface rule : is default source LAN subnet dest internet action PASS <– this rule generated automatically.
I added second one to the LAN interface : interface LAN , source : any, Dest : any, Proto : any, action : PASS.These are my rule settings.
And AON selected on NAT TAB and all automatically generated NAT rules has removed. <-- FAQ on Pfsense docs page.
All other settings are default. The clients reach internet only When NAT Enable. they reach but with not thair public ips..
when you disable the nat the clients can't reach internret. Let me tell you something about tracerouting. When i try traceroute from WAN to LAN the packets can reach only the wan port of firewall not more. When i try traceroute from LAN to WAN the packets only reach WAN port of the firewall again. and there are something interesting .. I can ping LAN port of Pfsense from a inside server. But Pfsense can't ping same server from its lan interface. I can ping pfsense WAN port from lan server but I can't ping Cisco router ..I also tried some other ways .. I cleaned up the state table. tried some static route tried all possible rule combinations. are you sure that pfsense supports this task? or What should i set more. thank you
-
The CISCO router is probably doing ARP queries for 94.0.128.0/24 network on it's own LAN interface, that's why it works without pfSense in the mix. You'll probably have to change the CISCO configuration to forward 94.0.128.0/24 to pfSense's WAN address.
-
Hmm, I had assumed he was routing that /24 already. Is that the case?
-
Cisco router is only routing default 0.0.0.0 to 212.156.88.1(WAN side IP of Cisco MetroEthernet) do i need to add source 94.0.128.0/24 to GW 94.0.88.210(WAN of pfsense.) to the cisco router?
-
Yes, otherwise it has no idea where to send packets for the subnet.