Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PfSense own internet access in a private IP/WAN+public IP/LAN scenario

    Scheduled Pinned Locked Moved NAT
    8 Posts 3 Posters 3.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      anigwei
      last edited by

      Hi!

      My scenario is:

      • I have a public network segment (a /26).
      • My provider gives me a transport network (/30) where they are the gateway (10.a.b.1) and my pfSense WAN is 10.a.b.2)
      • I set NAT to AON
      • I set the LAN interface to the first public IP of my network segment

      All hosts from LAN have a public IP and uses pfSense's public IP as gateway. They have internet connection and thats all OK!!

      The problem is that pfSense itself can't find internet connection because it tries to connect directly to its gateway (10.a.b.1). How can I tell pfSense that it has to use its LAN IP (public one) as a SRC-IP so the gateway will let it pass transit to internet? If not, evidently my provider gateway won't pass any transit if SRC-IP is a 10.a.b.c).

      Thanks!!!

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        ISPs sure do some wacky stuff. Have you asked for a public /30 for your WAN interface instead of that 10.x.x.x RFC1918 nonsense?

        I know if you split your /26 into two /27s, using one /27 (or a subnet of it) for VIPs on WAN and the other /27 on your LAN interface it would work. You would tell outbound NAT to translate all traffic originated on the firewall to one of the WAN VIPs.

        What I do not know is if you can assign the /26 to a LAN interface and, at the same time, use one or two addresses out of it as VIPs on WAN. I don't believe so. Anyone? I don't have time to lab it right now. The following leads me to think even more strongly that you cannot put them on WAN if it's routed:

        IP Alias VIPs: Can be bound to localhost on version 2.1 or later for binding services in routed subnets. IP Alias VIPs bound to localhost will synchronize via XMLRPC

        From https://doc.pfsense.org/index.php/What_are_Virtual_IP_Addresses

        The real answer is for them to route your /26 to a public /30. A workable second would be for them to NAT the 10. interface address somewhere so it would have outbound access.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • A
          anigwei
          last edited by

          Hi Derelict!

          Thanks for your answer.

          They say this is their usual way, with that /30 transport networks between routers…

          In fact, in Diagnostics -> Ping, pfSense can reach the internet if I select LAN as source address!

          If I leave default, it can not reach.

          So.. can we "force" that? So pfSense always use its LAN source address to connect the internet (for updates, etc).

          I must say that except this "small" fact (I only want that pfSense has internet access for its updates, packages, etc) the network is working pretty fine with this "weird" scenario.

          Thanks,

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            so they gave you a rfc1918 transit.. Yeah that is wacky if you ask me..

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • A
              anigwei
              last edited by

              Yes!

              It's weird but not impossible!

              Their core router has a static route that says "everything coming to 84.b.c.d/26 goes to 10.1.1.1/30", where 10.1.1.1 is the default gateway WAN of my pfSense.

              And my pfSense WAN address is 10.1.1.2/30.

              In LAN, pfSense has first IP from the public range. And servers have that IP as def.gateway. And NAT turned off. And works :)

              Thanks,

              1 Reply Last reply Reply Quote 0
              • A
                anigwei
                last edited by

                Hi,

                I think I've found the solution!!

                Adding an Outbound NAT rule:

                Do not NAT: Disabled
                Interface: WAN
                Source. Itself
                Dest: any
                Translation: Other Subnet: 84.b.c.d/32 (its public IP)

                And it works… :)

                Thanks,

                1 Reply Last reply Reply Quote 0
                • DerelictD
                  Derelict LAYER 8 Netgate
                  last edited by

                  So you didn't enter a VIP in Firewall > Virtual IPs you just selected other and entered it there?

                  Learn something new every day. Didn't know you could just enter an arbitrary address there. Good to know.

                  Chattanooga, Tennessee, USA
                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                  1 Reply Last reply Reply Quote 0
                  • A
                    anigwei
                    last edited by

                    @Derelict:

                    So you didn't enter a VIP in Firewall > Virtual IPs you just selected other and entered it there?

                    Learn something new every day. Didn't know you could just enter an arbitrary address there. Good to know.

                    Yes, that's it. Hard to explain… because it expects a network and I entered an IP (/32)...

                    Packets matching this rule will be mapped to the IP address given here.
                    To apply this rule to a different IP address than the IP address of the interface chosen above, select it here (Virtual IP addresses need to be defined on the interface first)

                    Regards!

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.