Natting - moving from cisco router to pfsense
-
Hi
Im moving from cisco router to pfsense
here's my ciscorouter config
interface FastEthernet0/0 description Transit$FW_INSIDE$ ip address 10.130.50.4 255.255.255.248 ip access-group STOP_PING in no ip redirects ip nat inside ip nat enable ip virtual-reassembly duplex auto speed auto ! interface FastEthernet0/1 description $FW_OUTSIDE$$ETH-LAN$ ip address 10.195.50.20 255.255.254.0 ip access-group STOP_PING in no ip redirects ip nat outside ip nat enable ip virtual-reassembly duplex auto speed auto ! ! ip classless ip route 0.0.0.0 0.0.0.0 10.195.50.10 ip route 10.130.0.0 255.255.0.0 10.130.50.3 ! ! ip nat inside source list GNet interface FastEthernet0/1 overload ! ip access-list standard GNet permit 10.130.111.0 0.0.0.255 permit 10.130.50.0 0.0.0.255 permit 10.130.101.0 0.0.0.255 permit 10.195.50.0.0 0.0.1.255how do i transfer this setting to pfsense
im new to networking and pfsense and sorry if this is is basic..so far what i tried...current pfsense setup
ip wan v4 : 10.195.50.20/23
ip Lan v4: 10.130.50.4/29i added a static summary route in pfsense firewall rules
10.130.0.0 255.255.0.0 10.130.50.3i tried to do the the natting in 1:1 natting..is this correct ? i can't get it to work
Interface External IP Internal IP Destination IP Description LAN 10.195.50.20 10.130.115.0 WAN address WAN 10.195.50.20 10.195.50.0 WAN address LAN 10.195.50.20 10.130.50.0 WAN address LAN 10.195.50.20 10.130.101.0 WAN addressright now gateway status is offline..and i have no internet in my vlan
[0_1603977063586_Router.txt](Uploading 100%)
-
Not sure what your doing exactly... But this would just work out of the box.. It will out outbound nat your lan network to your wan IP.
There really is nothing to do but run through the bouncing ball setup.
Change your lan network to the range you want to use. 10.130.50.4/29
If your gateway is offline, then no your not going to go anywhere, nor are you going to be natting anything.. Pfsense needs to be able to ping its wan gateway.. This 10.195.50.10 address?
-
Hi
what im trying to is to replace Cisco 1841 Router with pfsense
the cisco 1841 router has failed to work properly after a recent power failure at our place and for a
temporary replacement we have setup a pc with pfsense installed in virtual box with the
same ip as the router 10.130.50.4I have two NICS
virtual box setup - both adapter in bridge mode
Virtual Box Host adapter - 10.195.50.18/255.255.254.0/10.195.50.10
Pfsense LAN 10.130.50.41st pc network adapter - 10.130.50.5/255.255.255.248/10.130.50.3
2nd pc network adapter - 10.195.50.19/255.255.254.0/10.195.50.10pfsense gateway 10.195.56.10 is display as offline and vlan pc have no internet
but i have internet in the virtual box pc and i can access pfsense from browserSo now i need to be able to nat my internal lan subnets from the Pfsence box, just like the old router was doing.
-
Well you need to look to your vm setup.. If pfsense can not ping its gateway - your going to have a bad day..
If the device just doesn't answer ping, you can setup pfsense to just always assume the gateway is up.. But you shouldn't have to do that.. Does pfsense show the mac address of its gateway in its arp table? You can view the arp table in the diagnostic menu, arp table.
But pfsense there really is nothing to configure other than the wan IP and its gateway, and the lan IP and mask.. It will auto nat to your wan IP.
-
thank you John Poz..
yes i can see the mac address of the gateway in pfsense, what should i do with the info ? status - Expires in 974 seconds
i'll try to figure my virtual box setup what causing the gateway to be offline..
i can browse the internet without problem in my pc by using 10.195.50.10 as gateway
-
Well if you can see the mac, and its correct but its just not answering ping.. You could set the monitoring for the gateway to always up.. And then see if pfsense can ping outside IPs,
Or you could try changing the monitoring IP to something that does answer ping upstream from pfsense.
-
@johnpoz i disabled monitoring and also try to change the monitoring ip ..the status changed to online but i still can't ping and no internet
-
Hi just would like to update,
i adjusted my virtual box setting
1st pc network adapter - 10.195.50.19/255.255.254.0/10.195.50.10 2nd pc network adapter - 10.130.50.5/255.255.255.248/10.130.50.3 virtual box setup - both adapter in bridge mode Virtual Box Host adapter - 10.130.50.6/255.255.255.248/10.130.50.3 Pfsense LAN 10.130.50.4i have internet in this pc and i can access pfsense 10.130.50.4 and my core switch 10.130.50.3
the gateway 10.195.50.10 is now online in my pfsense, and i can ping to internet
but 10.130.50.3 (core switch)gateway is offline in pfsense
..i can't ping LAN and now i cant access pfsense in my vlan since the static route i made in pfsense failed
10.130.0.0 255.255.0.0 10.130.50.3im still trying to solved this, ..bear with me..im new with thing and i really hope i can solve this
-
@kayul said in Natting - moving from cisco router to pfsense:
but 10.130.50.3 (core switch)gateway is offline in pfsense
Huh?? Draw up your network.. Sounds like you have a real mess.. So your pointing to a L3 switch for pfsense as its gateway?
Sounds like you have some sort of asymmetrical mess most likely as well.
And both of these adapters have gateways??
-
@johnpoz i tried to draw the diagram..im not really sure if im doing this right..i include the router and coreswitch setting
Router.txt Core Switch.txt -
So you have a server say 10.130.101.42/23, what is it using for its gateway?
Using 10.130.50/29 as a transit network is fine.. But how are you setting up gateway? You wouldn't put it on the interface.. You would create a gateway under routing, and then setup any routes to downstream networks.
Here is a logical diagram.. with a downstream router.. So its easier to read
Lets assume you have all the VM stuff setup correctly for the different L2 networks and how things are connected.. So what IPs your using on the VM host have nothing to do with how this traffic would flow.
Keep in mind that once you create gateway pointing to your downstream router this .3 that is on say the lan interface of pfsense. You have to adjust the lan rules to allow these downstream networks. Since I assume your downstream router is not natting.
Once you create the route for the downstream network 10.130.101/24, pfsense if using the default automatic outbound nat would add this downstream network(s) to your outbound nat..
Did I draw this correctly? Lets just deal with 1 downstream network, this 10.130.101/24 for now..
On a side note - I personally don't like using a transit network that could get confused with your actual networks... If you are going to use 10/8 for your networks, then use say the 172.16/12 or 192.168/16 space for your transits
So vs using this 10.130.50.0/29 as transit, say use 172.16.0.0/29
Hope that helps.
