• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Natting - moving from cisco router to pfsense

Scheduled Pinned Locked Moved NAT
11 Posts 2 Posters 666 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • ?
    A Former User
    last edited by A Former User Oct 29, 2020, 1:11 PM Oct 29, 2020, 1:05 PM

    Hi

    Im moving from cisco router to pfsense

    here's my ciscorouter config

    interface FastEthernet0/0
     description Transit$FW_INSIDE$
     ip address 10.130.50.4 255.255.255.248
     ip access-group STOP_PING in
     no ip redirects
     ip nat inside
     ip nat enable
     ip virtual-reassembly
     duplex auto
     speed auto
    !
    interface FastEthernet0/1
     description $FW_OUTSIDE$$ETH-LAN$
     ip address 10.195.50.20 255.255.254.0
     ip access-group STOP_PING in
     no ip redirects
     ip nat outside
     ip nat enable
     ip virtual-reassembly
     duplex auto
     speed auto
    !
    !
    ip classless
    ip route 0.0.0.0 0.0.0.0 10.195.50.10
    ip route 10.130.0.0 255.255.0.0 10.130.50.3
    !
    !
    ip nat inside source list GNet interface FastEthernet0/1 overload
    !
    ip access-list standard GNet
    permit 10.130.111.0 0.0.0.255
    permit 10.130.50.0 0.0.0.255
    permit 10.130.101.0 0.0.0.255
    permit 10.195.50.0.0 0.0.1.255
    

    how do i transfer this setting to pfsense

    im new to networking and pfsense and sorry if this is is basic..so far what i tried...current pfsense setup

    ip wan v4 : 10.195.50.20/23
    ip Lan v4: 10.130.50.4/29

    i added a static summary route in pfsense firewall rules
    10.130.0.0 255.255.0.0 10.130.50.3

    i tried to do the the natting in 1:1 natting..is this correct ? i can't get it to work

    Interface 	External IP 	Internal IP 	Destination IP 	Description 	
    LAN 	10.195.50.20 	10.130.115.0 	WAN address 	  	
    WAN 	10.195.50.20 	10.195.50.0 	WAN address 	  	
    LAN 	10.195.50.20 	10.130.50.0 	WAN address 	  	
    LAN 	10.195.50.20 	10.130.101.0 	WAN address
    

    right now gateway status is offline..and i have no internet in my vlan

    [0_1603977063586_Router.txt](Uploading 100%)

    1 Reply Last reply Reply Quote 0
    • J
      johnpoz LAYER 8 Global Moderator
      last edited by johnpoz Oct 29, 2020, 1:19 PM Oct 29, 2020, 1:17 PM

      Not sure what your doing exactly... But this would just work out of the box.. It will out outbound nat your lan network to your wan IP.

      There really is nothing to do but run through the bouncing ball setup.

      Change your lan network to the range you want to use. 10.130.50.4/29

      If your gateway is offline, then no your not going to go anywhere, nor are you going to be natting anything.. Pfsense needs to be able to ping its wan gateway.. This 10.195.50.10 address?

      An intelligent man is sometimes forced to be drunk to spend time with his fools
      If you get confused: Listen to the Music Play
      Please don't Chat/PM me for help, unless mod related
      SG-4860 24.11 | Lab VMs 2.8, 24.11

      1 Reply Last reply Reply Quote 0
      • ?
        A Former User
        last edited by A Former User Oct 29, 2020, 1:37 PM Oct 29, 2020, 1:34 PM

        Hi
        what im trying to is to replace Cisco 1841 Router with pfsense
        the cisco 1841 router has failed to work properly after a recent power failure at our place and for a
        temporary replacement we have setup a pc with pfsense installed in virtual box with the
        same ip as the router 10.130.50.4

        I have two NICS
        virtual box setup - both adapter in bridge mode
        Virtual Box Host adapter - 10.195.50.18/255.255.254.0/10.195.50.10
        Pfsense LAN 10.130.50.4

        1st pc network adapter - 10.130.50.5/255.255.255.248/10.130.50.3
        2nd pc network adapter - 10.195.50.19/255.255.254.0/10.195.50.10

        pfsense gateway 10.195.56.10 is display as offline and vlan pc have no internet
        but i have internet in the virtual box pc and i can access pfsense from browser

        So now i need to be able to nat my internal lan subnets from the Pfsence box, just like the old router was doing.

        1 Reply Last reply Reply Quote 0
        • J
          johnpoz LAYER 8 Global Moderator
          last edited by johnpoz Oct 29, 2020, 1:38 PM Oct 29, 2020, 1:37 PM

          Well you need to look to your vm setup.. If pfsense can not ping its gateway - your going to have a bad day..

          If the device just doesn't answer ping, you can setup pfsense to just always assume the gateway is up.. But you shouldn't have to do that.. Does pfsense show the mac address of its gateway in its arp table? You can view the arp table in the diagnostic menu, arp table.

          But pfsense there really is nothing to configure other than the wan IP and its gateway, and the lan IP and mask.. It will auto nat to your wan IP.

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          1 Reply Last reply Reply Quote 0
          • ?
            A Former User
            last edited by A Former User Oct 29, 2020, 1:43 PM Oct 29, 2020, 1:42 PM

            thank you John Poz..

            yes i can see the mac address of the gateway in pfsense, what should i do with the info ? status - Expires in 974 seconds

            i'll try to figure my virtual box setup what causing the gateway to be offline..

            i can browse the internet without problem in my pc by using 10.195.50.10 as gateway

            1 Reply Last reply Reply Quote 0
            • J
              johnpoz LAYER 8 Global Moderator
              last edited by Oct 29, 2020, 1:53 PM

              Well if you can see the mac, and its correct but its just not answering ping.. You could set the monitoring for the gateway to always up.. And then see if pfsense can ping outside IPs,

              monitoring.png

              Or you could try changing the monitoring IP to something that does answer ping upstream from pfsense.

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              ? 1 Reply Last reply Oct 29, 2020, 2:12 PM Reply Quote 0
              • ?
                A Former User @johnpoz
                last edited by A Former User Oct 29, 2020, 2:12 PM Oct 29, 2020, 2:12 PM

                @johnpoz i disabled monitoring and also try to change the monitoring ip ..the status changed to online but i still can't ping and no internet

                1 Reply Last reply Reply Quote 0
                • ?
                  A Former User
                  last edited by A Former User Oct 31, 2020, 3:30 AM Oct 31, 2020, 3:28 AM

                  Hi just would like to update,

                  i adjusted my virtual box setting

                  1st pc network adapter - 10.195.50.19/255.255.254.0/10.195.50.10
                  2nd pc network adapter - 10.130.50.5/255.255.255.248/10.130.50.3
                  virtual box setup - both adapter in bridge mode
                  Virtual Box Host adapter - 10.130.50.6/255.255.255.248/10.130.50.3
                  Pfsense LAN 10.130.50.4
                  

                  i have internet in this pc and i can access pfsense 10.130.50.4 and my core switch 10.130.50.3

                  the gateway 10.195.50.10 is now online in my pfsense, and i can ping to internet
                  but 10.130.50.3 (core switch)gateway is offline in pfsense
                  ..i can't ping LAN and now i cant access pfsense in my vlan since the static route i made in pfsense failed
                  10.130.0.0 255.255.0.0 10.130.50.3

                  im still trying to solved this, ..bear with me..im new with thing and i really hope i can solve this

                  1 Reply Last reply Reply Quote 0
                  • J
                    johnpoz LAYER 8 Global Moderator
                    last edited by Oct 31, 2020, 4:20 AM

                    @kayul said in Natting - moving from cisco router to pfsense:

                    but 10.130.50.3 (core switch)gateway is offline in pfsense

                    Huh?? Draw up your network.. Sounds like you have a real mess.. So your pointing to a L3 switch for pfsense as its gateway?

                    Sounds like you have some sort of asymmetrical mess most likely as well.

                    And both of these adapters have gateways??

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    ? 1 Reply Last reply Oct 31, 2020, 1:12 PM Reply Quote 0
                    • ?
                      A Former User @johnpoz
                      last edited by A Former User Oct 31, 2020, 1:17 PM Oct 31, 2020, 1:12 PM

                      @johnpoz i tried to draw the diagram..im not really sure if im doing this right..i include the router and coreswitch setting Diagram.jpg Router.txt Core Switch.txt

                      1 Reply Last reply Reply Quote 0
                      • J
                        johnpoz LAYER 8 Global Moderator
                        last edited by johnpoz Oct 31, 2020, 2:01 PM Oct 31, 2020, 2:00 PM

                        So you have a server say 10.130.101.42/23, what is it using for its gateway?

                        Using 10.130.50/29 as a transit network is fine.. But how are you setting up gateway? You wouldn't put it on the interface.. You would create a gateway under routing, and then setup any routes to downstream networks.

                        Here is a logical diagram.. with a downstream router.. So its easier to read

                        logical.png

                        Lets assume you have all the VM stuff setup correctly for the different L2 networks and how things are connected.. So what IPs your using on the VM host have nothing to do with how this traffic would flow.

                        Keep in mind that once you create gateway pointing to your downstream router this .3 that is on say the lan interface of pfsense. You have to adjust the lan rules to allow these downstream networks. Since I assume your downstream router is not natting.

                        Once you create the route for the downstream network 10.130.101/24, pfsense if using the default automatic outbound nat would add this downstream network(s) to your outbound nat..

                        Did I draw this correctly? Lets just deal with 1 downstream network, this 10.130.101/24 for now..

                        On a side note - I personally don't like using a transit network that could get confused with your actual networks... If you are going to use 10/8 for your networks, then use say the 172.16/12 or 192.168/16 space for your transits

                        So vs using this 10.130.50.0/29 as transit, say use 172.16.0.0/29

                        Hope that helps.

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                        1 Reply Last reply Reply Quote 0
                        11 out of 11
                        • First post
                          11/11
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                          This community forum collects and processes your personal information.
                          consent.not_received