NAT between DMZ and LAN not working

kmanango

I'm not sure why NAT between my LAN and DMZ is not working.  Here's what I have:

Internet
      |
    ISP
      |
PfSense
      |
    / 
LAN  DMZ

I basically have 3 networks:

1/ N1 - Public /30 address (WAN)
2/ N2 - Public /26 address (DMZ)
3/ N3 - Internal LAN (10.X.X.X) address (LAN)

I have N1 and N2 bridged as I need the traffic needs to be a pass through (no NAT).  Everything is working between N1 and N2 and I am able to access the internet and everything is perfectly fine.  What I'm having problems with is access from N2 to N3.  I have the following configured:

1/ "Block private networks" and "Block bogon networks" is not enabled on N2 and N3
2/ I already have a rule on N2 such that the server I am testing has access to all IP's/Port's/etc anywhere.  Everything is "*"
3/ Outbound NAT set to "Manual Outbound NAT rule generation (AON - Advanced Outbound NAT)"
4/ I have a NAT outbound rule on N2 that says the subnet of N2 NATs using the interface address to N3 subnet
5/ I have a NAT outbound rule on N3 that says the subnet of N3 NATs using the interface address to N2 subnet

When I am on a server in N2 and ping the pfsense IP address for N3, it time's out.

When I am on a server in N3 and ping the pfsense IP address for N3, it responds.

When I am on a server in N2 and pint the pfsense IP address for N1, it responds.

It's only communication between N2 and N3 that is not working and I suspect it's something misconfigured with NAT.  I've already spent a week debugging this and searching forums and no luck so this is my last resort here was in hopes that someone would know what I am doing wrong.

Thanks

marcelloc

@kmanango:

I have N1 and N2 bridged as I need the traffic needs to be a pass through (no NAT).  Everything is working between N1 and N2 and I am able to access the internet and everything is perfectly fine.  What I'm having problems with is access from N2 to N3.  I have the following configured:

Bridge two interfaces with different ip/mask to do not nat?

I suggest you to:

• unbridge N1 and N2

• change your outbound nat to manual

• create only outbound nats you need

• test again

kmanango

N1 and N2 are on different subnets but both have internet facing IP addresses.  I don't want to do 1:1 NAT and want the traffic to be a direct pass-through and no NAT.  The traffic should just route.  I was told previously that I should set this up as a bridge which is what I did and works great.  Pass through traffic with the benefit of a firewall.

Is it not possible to have a network bridged with one and NAT to another?  i.e. N2/N1 bridge and N2/N3 NAT

Thanks

marcelloc

I'm not sure if bridge + nat has issues.

I have same scenario with two wan + lan and I just changed outbound nat to manual and removed any nat from wan1 to wan2. I have no issues with nat on any network.

clarknova

Is there a reason you want to NAT between the DMZ and LAN, rather than just straight routing? There's no reason the LAN hosts and DMZ hosts shouldn't be able to find each other via default route (pfsense). You only need outbound NAT for LAN via WAN.