Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Cannot get Public IP on LAN to connect without NAT

    Scheduled Pinned Locked Moved NAT
    9 Posts 2 Posters 2.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dakoellis
      last edited by

      Hi All,

      I have 2 public IP subnets and I can't get pfsense to work the way I want to with them.  My goal is simply to disable NAT for the LAN side computers.  What everything I've seen says should work is to select Manual Outbound NAT rule generation (AON - Advanced Outbound NAT) and delete all the rules that come up, but when I do that I don't have Internet on any computers on the LAN side.  It works perfectly fine with Automatic NAT enabled, but then I of course have NAT enabled which is not desired.  I also made sure that I have firewall rules to allow all traffic on both the WAN and LAN interfaces.  Lastly I tried disabling the firewall/NAT altogether in System > Advanced > Firewall/NAT, but that didn't work either.

      The weird thing to me is that when I check the firewall logs, there doesn't seem to be any traffic coming from the computer I am testing with (and making configuration changes with) to the firewall at all.  I am able to ping google with the LAN port of pfsense, but not with any devices on the LAN, even though the LAN devices can contact the router.  I'm hoping someone can give me some insight into what could possibly be going on because I've been at this for a couple of weeks now and nothing seems to be working.

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        Are you sure the LAN subnet is routed to the proper IP address on your WAN interface by the ISP?

        Rules on WAN have nothing to do with connections originated by your LAN hosts.

        And, yes, you would switch to Manual Outbound NAT and delete (or disable) all the rules with a source of the subnet with the public IP network. That would disable NAT on outbound connections.

        For inbound connections you don't use port forwards. You only use firewall rules passing the appropriate traffic to the appropriate destinations.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • D
          dakoellis
          last edited by

          Are you sure the LAN subnet is routed to the proper IP address on your WAN interface by the ISP?

          I'm not 100% positive because I just requested it and haven't gotten it to work, but It works correctly with all other subnets they've done first time.  I did try running a second gateway through another subnet that is currently in production, and it did not work there either, but I believe that was due to asymmetric routing issues due to some of the traffic issues I was getting.  That said, the "Bypass firewall rules for traffic on the same interface" didn't help the situation there.

          Rules on WAN have nothing to do with connections originated by your LAN hosts.

          Yeah I get that.  Just something I tried after a couple of weeks with no progress

          For inbound connections you don't use port forwards. You only use firewall rules passing the appropriate traffic to the appropriate destinations.

          I haven't done anything with port forwards, and an allow all any proto any address should be good for the rules correct?

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            @dakoellis:

            Are you sure the LAN subnet is routed to the proper IP address on your WAN interface by the ISP?

            I'm not 100% positive because I just requested it and haven't gotten it to work, but It works correctly with all other subnets they've done first time.  I did try running a second gateway through another subnet that is currently in production, and it did not work there either, but I believe that was due to asymmetric routing issues due to some of the traffic issues I was getting.  That said, the "Bypass firewall rules for traffic on the same interface" didn't help the situation there.

            Rules on WAN have nothing to do with connections originated by your LAN hosts.

            Yeah I get that.  Just something I tried after a couple of weeks with no progress

            You've been futzing with this for weeks and haven't verified the route with the ISP?  I don't get it. Getting clicky clicky with things that make no difference certainly isn't going to help.

            (Is it "just requested" or "a couple weeks")

            For inbound connections you don't use port forwards. You only use firewall rules passing the appropriate traffic to the appropriate destinations.

            I haven't done anything with port forwards, and an allow all any proto any address should be good for the rules correct?

            If that's what you want.  I would "pass any dest LAN subnet" instead. And you need to be sure LAN address is protected lest your webgui, etc be exposed.

            PM the WAN interface address and the routed subnet and I'll traceroute it to see if it looks like it's being routed properly.  (I doubt it is or it looks like it would be working.)

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • D
              dakoellis
              last edited by

              OK let me step back a bit.  I have been working on this for a couple of weeks on a subnet that I know is working (and other gateways I've tried work fine with).  I contacted my ISP to get another subnet when I did something that enabled me to see a bunch of the traffic was being blocked due to asymetric routing.

              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by

                Then fix that I guess.  Nowhere near enough details to help you.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • D
                  dakoellis
                  last edited by

                  @Derelict:

                  Then fix that I guess.  Nowhere near enough details to help you.

                  I'm currently waiting on a reply from the ISP on verifying the route (this was implemented yesterday) but would the forwarding explain why the router would work with NAT enabled but not disabled?  I'm still fairly new to networking and have learned quite a bit through this process.

                  1 Reply Last reply Reply Quote 0
                  • DerelictD
                    Derelict LAYER 8 Netgate
                    last edited by

                    If the subnet is not routed to you, yes. NAT would work, no NAT would not.

                    Chattanooga, Tennessee, USA
                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    1 Reply Last reply Reply Quote 0
                    • D
                      dakoellis
                      last edited by

                      OK you were right, the route wasn't setup correctly :(  Everything is working perfectly now.  Thanks a bunch for your help!

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.