Double Nat Issue
-
Hi everyone,
Today i have a problem with my network :Internet –> (PPPoe)Modem(Lan: 192.168.1.1/24)-->Wan (192.168.1.20/24)Pfsense(Lan: 192.168.100.1/24)--->(192.168.100.2/24) Switch Layer3( have 3 VLAN)
Pfsense allow * to * both Lan and Wan
I can ping from VLAN --> 192.168.100.1 but cannot VLAN --> 192.168.1.20
pfsense --> VLAN from Lan
if Pfsense enable NAT outbound : pfsense ping 8.8.8.8 from Lan but cannot VLAN--> 8.8.8.8disable NAT outbound : pfsense cannot ping 8.8.8.8
i want 3 VLAN can go internet
Any suggestion ?? Thank you so much
-
You have a L3 switch, do have routes on pfsense for these 3 networks that are on our L3 switch? Do you have a transit network setup - is that what your lan network
Why don't you just have pfsense be your router for all your segments?
If your going to have downstream networks, you have to tell pfsense to NAT those – how is pfsense suppose to know about these downstream networks?
So you have a downstream vlan of 192.168.1.0/24 but that is on your wan of pfsense? Why don't you draw out your network?? How I would do something with layer 3 downstream router is prob like this where I would use /30 for the transit network. Then have my other segments off the L3 switch - which would have route to pfsense for default. Pfsense would have routes to your .2 and .3 and .4 /24 segments. Then on your outbound nat make sure to include those downstream networks in your nat. And also in your LAN rules you would have to allow for those networks vs just lan net..
See attached. But wouldn't it be easier if you got rid of your double nat and just had all your networks segments off pfsense - now you can firewall between all segments, etc..
-
Firstly, thank you for ur help
Your attached is exactly topology i mentioned, is that good or not good ?
i'm confusing with my plan.. thank you again
would u give me some suggestion about my plan ? -
You made no mention of a transit network in your post.. But yeah that is how you normally do downstream routers.
So your using the 192.168.100/24 as your transit? What are the 3 vlans on your downstream L3? Kind of odd to waste a /24 on a transit..
What are you firewall rules on your Lan interface in pfsense, what are you routes in pfsense? What is the routes on your L3 switch? Did you add your 3 downstream vlans to your outbound nat?
-
Thank johnpoz,
- i changed transit network to 192.168.100.0/30
- 3 vlan on downstream L3 : 192.168.10.0/24, 192.168.30/24, 192.168.40/24
- Firewall rule on Lan, Wan : allow any to any
- Route on Pfsense : have route 3 vlan via gateway : 192.168.100.2 on switch L3
outbound nat have 3 vlan - Sw : have static route : S* 0.0.0.0/0 [1/0] via 192.168.100.1
- Nat also on modem
i attach image below
-
im done, i change sw l3 to sw l2 and firewall between subnets,
thanks for your help -
So your just vlaning now, or do you have more interfaces on the firewall for these other segments.. Yeah unless your routing lots of traffic it makes little sense for L3 downstream normally in a small setup. If you have devices that need to talk a lot to each other - better to just put them on the same segment ;)
So what your L3 with the transit working? Why the change in heart to L2 ?
-
i really appreciate ur reply,
but in my situation now, i realize network have enough traffic transit each other, so i replaced sw L2 to sw L3, and Sw L3 do something else in other enviroment
but now i have other issue, can u help me johnpoz ?
https://forum.pfsense.org/index.php?topic=94928.0
still double nat for other service
thank you again
