NATting to a virtual LAN IP
-
Hi.
In my pfSense I've 3 networks:
WAN: 192.168.1.x
LAN: 192.168.0.x
LAN(virtual): 192.168.2.xThe .2.x network is created using Firewall > Virtual IP of type If Alias.
From the LAN I can connect to 192.168.2.x hosts fine, but I'm having troubles in connecting from outside.
I created a normal NAT rule, like the ones I created for the 1.x network (which work), but the .2.x host is not getting any packed.Anyone knows why?
thanks -
Can you access Internet from Alias IP-subnet?
-
-
What you use for connecting from outside? portforward or 1-to-1 nat?
-
What you use for connecting from outside? portforward or 1-to-1 nat?
NATting, I just need a single port.
I've other portfw going to the normal lan and works fine, it's the first time I need to do it on the virtual lan -
Can you show us images of your rulesets.
I'm curious of your wan, lan, nat and portforward rulesIf you're talking about manual outbound nat rules, that is used from inside-to-outside, but traffic from outside-to-inside it's not working(unless trafic originates from inside).
In that case(Outside-to-Inside) you need portforward or 1-to-1 NAT. -
Here linked all screenshots of relevant config.
thankshttps://dl.dropboxusercontent.com/u/706934/virtual_nat.png
-
Hello again,
Sorry for taking too long to get back here. Still missing few images, like: LAN rules and information of problematic destination ip(is it that 192.168.2.1?)
And what kind of trafic you want to get inside 192.168.2.* subnet
-
thanks for your reply.
Lan rules here:
https://dl.dropboxusercontent.com/u/706934/lan_rules.pngyes, the problematic IP is 192.168.2.1.
I'd like to be able to forward a port (143) from the outside network to the internal virtual LAN IP 192.168.2.1.From the "normal" lan (192.168.0.x) access to .2.1 works fine.
thanks again
-
Looks like your inbound rules are ok, can please view us information of outbound rules, meaning path: (Firewall: NAT: Outbound)
-
sorry for the late reply. Here's the outbound rules page.
https://dl.dropboxusercontent.com/u/706934/Outbound.pngs
thanks again -
sorry for the late reply. Here's the outbound rules page.
https://dl.dropboxusercontent.com/u/706934/Outbound.pngs
thanks againAtm dropbox views me a 404..
-
Try this one.
https://dl.dropboxusercontent.com/u/706934/Outbound.png
I'm unaware of a .pngs filetype ::)
-
Have you tried to edit that virtual ip with saving it in other type of virtual ip and change it back?`
-
If you also have an Internet gateway on WAN, you'll only need NAT rules for accessing the Internet from LAN and LAN Virtual (looks like a double NAT given your WAN subnet), not for accessing LAN Virtual (192.168.2.0/24) from WAN (192.168.1.0/24).
If you are trying to directly access a LAN Virtual (192.168.2.0/24) host address from a WAN (192.168.1.0/24) client it's not going to work unless:
a) The WAN clients are using pfSense's WAN address as their default gateway.
Or
b) Whatever device is the WAN clients' default gateway has a static route to 192.168.2.0/24 via pfSense's WAN address.
Or
c) You have enabled RIP broadcasting on pfSense's WAN interface and whatever device is the WAN client's default gateway has at least inbound RIP enabled on the interface connected to pfSense.
Or
d) The WAN clients have a static route to 192.168.2.0/24 via pfSense's WAN address. You can configure this via DHCP option 121. Note that when specifying option 121 you must also include the regular default gateway for 0.0.0.0 along with other static routes.Another thing to remember is that the WAN clients' subnet must be /24 or lower or they will only look for 192.168.2.x addresses on the local switch.
-
Stupid question: is all forwarding going to pass if "block RFC1918" on WAN is active?
-
Not if the block rule is above the NAT rule.
-
@KurianOfBorg:
Not if the block rule is above the NAT rule.
So, maxxer has to put his WAN allow rules before RFC1918 blocking rule?
-
IF your WAN subnet is private you shouldn't have the block rule.
