Routing between Networks behind different WAN IPs
-
However, due to the Multi-WAN setup, maybe you need the NAT reflection with proxy mode.
-
I would expect Pure NAT to work. You wouldn't even need the auto-outbound rules since it's between two different internal interfaces. I would enable them anyway though to allow access fro the same interface if it's ever required.
Steve
-
@stephenw10
The strange thing, as the TO mentioned, he can access the server by its internal IP, but not by the WAN IP with NAT reflection in pure NAT mode.
So the rules must be okay, but the NAT reflection seems not to work. -
I don't actually see anywhere he said he enabled NAT reflection. I just see everyone suggesting it...
-
@dabbelju007 said in Routing between Networks behind different WAN IPs:
@viragomann Thanks for your advice.
Just for a test: Rule at LAN2 allows IPv4 any protocol to any destination. I am using IPv4 addresses.
The NAT Port Forward Rule @WAN1 Interface has NAT refelction enabled, as you said pure NAT.
It is still not working.
I know the Firewall Log, State Log and packet capture. Is there a way in pfSense to see in which steps this reuqest is handeled?
When I do the request and take a look into the firewall log I can see that there is an entry which "allows the request" out from LAN2. There is no entry for the NAT rule @WAN1 (logging in the rules is enabled).
What do I do wrong?
Thanks
Dabbelju@stephenw10
I did activate it. I will do some further testing today. -
Hi all,
sorry if I start bothering. But I really like pfSense and want to understand as much as possible.
I did do some further testing (NAT Reflection Enabled with "pure NAT" and "NAT + Proxy"). I did enable it under "System=>Advanced=>Firewall & NAT" as well as in the corresponding NAT rule @WAN1.
I did take traces at all involved interfaces (LAN2, WAN2, WAN1, LAN1, Server) in the different scenarios. The only point where I see the packets is @LAN2. Whatever pfSense does I should see it hitting the server which is not the case.
What I currently do not understand: I have enable the NAT reflection at @WAN1 NAT rule. How can NAT reflection do whatever it does when the traffic is not even hitting the Interface? Shouldn't there be a Rule allowing NAT reflection @LAN2 or @WAN2?
Is there any other way to do debugging appart from Traces, Firewall System Logs, State Logs?
I would expect at least to see the packets also @LAN1 or am I wrong?
-
Nat reflection is not going to work if your policy routing shoving it out a gateway.
If lan2 is trying to hit server in lan1, post up your rules you have on lan2
-
Yeah, you will need to have a firewall rule allowing traffic from LAN1 to the server in LAN2 to pass the reflected traffic without being routed to any gateway.
With NAT reflection enabled when a client on any internal subnet tries to hit the WAN2 IP on a port that is forwarded it actually hits a NAT rule that sends it to the target directly. Then it hits the firewall so a rule must exist to pass the redirected traffic.
Steve
-
Please find attached a screenshot of the rule @LAN2. I did wipe out my public ip but in the rule is the IP of WAN1.
GUESTLAN is my LAN2. In the firewall log I do see that it hits this rule.
How can I have a rule which is not routing the traffic to a gateway? It will either take the system default GW or the one I have configured in the advanced options of a rule.
-
If you don't have a gateway defined in a rule traffic will be routing according to the system routing table. That means it will go via the default gateway for an external destination but for a local subnet, LAN 2 here, it will be routed directly.
You need a firewall rule on LAN1 that allows traffic from the LAN1 subnet to the server IP in LAN2 above the policy routing rule there.
Steve
