NAT 1:1
-
If I understand I need to force a third class of IP address on the Cisco router.
Currently I have this available:
37.xxx.15.16/29 with GTW 37.xxx.152.17
and always on the same interface cisco 37.xxx.159.0/24 GTW 37.xxx.159.1
I do not have the ability to have 37.xxx.160.0/24 as you say in your message.
The BGP I do IP addresses are mine.
To better understand please make me an example of how to set the interface is WAN and LAN with the IP that you have described.
Thank you. -
okay … you have BGP then?
In that case all IPs are your to route with correct?
If that is the case then you can route 37.xxx.159.0/24 GTW 37.xxx.152.19 (pfsense WAN) on cisco.
On pfsense WAN GTW is IP address of cisco (37.xxx.152.18?). I am still not clear as to what you have assigned where on the cisco.
Then no NAT rules anywhere (no 1:1, or manual outbound (aside from 127.0.0.1). -
Current configuration: the same port on the cisco are its subnet
- 37.xxx.152.16/29 IP 37.xxx.152.17.
- 37.xxx.159.0/24 IP 37.xxx.159.1.
configuration Pfesense
WAN IP 37.xxx.152.18 GTW 37.130.17 here on the internet works.
LAN IP 37.xxx.159.1 the same GTW Cisco.
Removed the Outbound. left only 127.0.0.1
No nat 1:1 no roules only on the LAN Anti-Lockout Rule and Default allow LAN to any rule but does not work on the internet there you go in any way.
The two GTW I tried them and they work fine with a PC
Thank you.
-
I did more tests.
I tested the two gateways on the WAN Pfesense and they work fine, I tested all IP class 37.xxx.159.0/24 and work without problems, I even tweak reversed GTW classes IP and everything works on the WAN Pfesense.
PfSense configured, does not work anymore 'nothing remains functional only WAN, LAN nothing to do.
I can not find the problem .. -
I think you have a routing problem, but I am am still not sure on the setup of pfsense or cisco.
What is the IP of LAN of pfsense? From your posts it looks like it is 37.000.159.1.. If you have a gateway set on the LAN IP, remove that as well. The only interface with a gateway should be WAN.
Have you tried tracerouting from a system behind pfsense to see where it is breaking? Is the cisco only doing the bgp and routing, or is there any firewall rules setup?
On the cisco, the route looks wrong. The 37.000.159.0/24 should be sent to 37.000.152.18 (WAN of pfSense). I am not sure what you have assigned in there, but the cisco cannot have an address in the 159 network or nothing will be routed to pfsense and you will have a broken route.So Basically,
Cisco has an IP address of 152.17 … WAN on pfsense has an ip of 152.18 with the gateway of 152.17. LAN on pfsense has an ip of 159.1 without a gateway set.
On the cisco, you are going to add a route sending 159.0/24 to 152.18.
I am not sure how cisco is going to route to the internet as I am not that familiar with BGP. I am assuming that configuration is working on a completely different ip and subnet. -
Ok.
I did test by connecting a PC directly to the door and it all works in the sense cisco ip put any class 37.xxx159.x works and exits on the internet.
I tried to leave the class 37.xxx.159.x on GTW 37.xxx152.17 and it works, so I do not see errors in cisco and then I know him more than I can 'have missed something but for carelessness. I do not think.
To answer your question "Have you tried tracerouting from a system behind pfSense to see where it is breaking," I did the test and stops at GTW LAN 37.xxx.130.159.1.
I think it's a problem that pfsense does not pass packets from LAN> WAN, for me it 's like this, but I can not find a way to configure it. -
If you test from the WAN of pfense, it would be almost the same as hooking up a PC and testing. I think you are trying route within a subnet and that just doesn't work. Personally, I don't have enough information to really know for sure … perhaps you could diagram it.
Try this.
Set the WAN on pfsense to 37.xxx.159.2/25 GATEWAY 159.1 (the cisco). Then set LAN to 37.xxx.159.129/25 (WITHOUT A GATEWAY).
In the Cisco route 37.xxx.159.128/25 to 37.xxx.159.2 (WAN on pfsense). Setup a computer behind pfsense and set the ip to 37.xxx.159.130 gateway of 37.xxx.159.129. Make sure just the default allow rules are there. Run connection tests to see what happens.
-
Hello and sorry for the delay but I was not home.
Doing as you described in the last post, it works.
The rest had already said before "Internet (37.xxx.152.17/29) –> (37.xxx.152.18/29) Cisco (37.xxx.159.1/24) --> (37.xxx.159.2/24) pfsense (37.xxx.160.1/24) --> LAN"
I did not want to try because it seems an excessive consumption of IP addresses.
I added a class of contiguous IP in BGP and now have available in output from pfSense 255 IP I can add I have no problems, but unfortunately you can use twice.
Else but unfortunately the flip side, activating the proxy server returns to run the gateway Wan, sigh sigh.
I hope to find a way to correct the problem and being able to do the same log files.
An application is not possible to bridge the WAN to the LAN. -
I agree that it is an excessive waste. The point was to prove that it works if you route correctly. You where not doing this.
You can get a /30 added and use it the same way as the 159.1/25 … so for an example ...Internet (37.xxx.152.17/29) --> (37.xxx.152.18/29) Cisco (37.xxx.160.1/30) --> (37.xxx.160.2/30) pfsense (37.xxx.159.1/24) --> LAN
Then you would route 37.xxxx.159.0/24 to 37.xxx.160.2. This would waste very little IPs.You can bridge WAN and LAN and you would not need to have another subnet. The configuration is more complex and uses more resources (IMHO). You can try it out to see if that is something that you can live with.
-
Thanks, yeah I tried to make it more 'short, but something went wrong.
But now created another problem, that of the proxy server does not register more logs.
Where can I see to do or try to make a bridge between LAN Ewan.
Thank you for everything anyway .. -
Do a search in these forums and find several good write ups on setting up bridges.
I made it as short as I could … you could to the first subnet as a /30 but you would still need the second to be a /25 ... not that you could not make quite a few networks out of 159.1 - 128 ( the first /25 broken into multiple subnets and used for different things).