Outbound NAT and LAN internet access



  • Hello,

    We have some cPanel servers behind the pfSense device, so they have multiple IPs directed to them for the various accounts, and we needed to make sure that the different accounts were responding with the correct IPs.  So, under the Outbound NAT, I disabled rule generation and that worked to get each account responding with its own IP rather than the single gateway IP.

    However, the LAN network does not have internet access, and I believe that's the reason.  I have a backup device on the LAN that needs to be able to connect to other servers online (updates, sending email, etc).  I can SSH in to that device and I can verify that things like DNS work, because if I ping a domain it will use the correct IP, but other than that there's no access.  I think that outbound NAT is the reason.  I have the LAN interface configured with no gateway, and pfSense has DHCP active on the LAN (although the backup device is using a static IP).

    How can I fix this so that the WAN servers will still respond with the appropriate IPs, but LAN can also have outbound access?

    Thanks



  • @tcsteve:

    We have some cPanel servers behind the pfSense device, so they have multiple IPs directed to them for the various accounts, and we needed to make sure that the different accounts were responding with the correct IPs.

    That's the default behaviour for connections from outside if you've assigned IP Aliases for your public IPs to the WAN interface.

    @tcsteve:

    So, under the Outbound NAT, I disabled rule generation and that worked to get each account responding with its own IP rather than the single gateway IP.

    However, the LAN network does not have internet access, and I believe that's the reason.

    That is just for outgoing connections and of course the reason for your issue.

    So if you have no other reason activate automatic outbound NAT rule again.
    But if you want to map specific internal IPs to specific external also for outgoing connections, you can use 1:1 NAT.



  • if you've assigned IP Aliases for your public IPs to the WAN interface.

    I don't think I've done that.  If I go under Firewall -> Virtual IPs, I don't see any listed.  It looks like if I try to add a new IP Alias then I have to enter each IP individually, is that right?  I've got a /26 network of IPs that are assigned to the servers behind the pfSense device.

    So it sounds like I need to add each of our assigned IPs in that network as an IP Alias for the WAN interface, and then activate the automatic outbound NAT, correct?  That will allow each cPanel server to send requests from the "main" IP for that server (so that IP-based cPanel licensing works), allow the /26 network to get routed to the appropriate server for each IP, and allow outbound LAN access (presumably from the gateway IP for pfSense?).  Unfortunately one of the cPanel servers is live and in use right now (serving 4 IPs from the /26 network), so hopefully I can make all of those changes pretty quickly.  But since it's live, I'd like to wait for confirmation that I'm on the right track, I'm pretty new to pfSense admin and haven't worked with IP Aliases yet.  My education isn't in network admin but I'm trying to learn what I need to.

    Also, just to be clear, the IP Aliases that you're referring to (under Firewall -> Virtual IPs) are completely different than what is under Firewall -> Aliases -> IP, correct?

    Thanks



  • Leave your outbound NAT in hybrid mode, then your servers will use the outbound NAT rules you manually defined, and everything else will hit the automatic.



  • I haven't defined any manual rules for outbound NAT yet, in order to get the cPanel IPs to validate their licenses I just disabled outbound NAT altogether.  Do you think I need to define outbound rules?  If so, for which part of my setup?

    Actually I'll take that back, looking at the outbound rules there's one defined (although it's unused since outbound NAT is disabled).  The interface is DMZ, source and dest are "any", and the NAT address is the /26 network.  I did also add a second rule to try to fix the outbound LAN issue I'm talking about here, but it's also unused because I chose to disable outbound NAT rule generation.  I added it just in case that radio button meant only that rules would not be automatically generated, instead of not used at all.  I think that I may also have added the other DMZ rule to attempt to fix the cPanel issue before just disabling outbound NAT, so if I enable it again then I may not need that rule.



  • Oh, so you have no NAT at all on those IPs, it's a public routed subnet. Thought it was just diff NAT.

    In that case, it's probably easiest to let the automatic outbound rules handle most of it, and add an outbound NAT rule on interface WAN, source of your public IP subnet, and choose the option to not NAT. Then traffic matching that won't get NATed, and everything else will use the automatic outbound NAT.



  • Brilliant!

    I removed the 2 NAT rules I added earlier, and added a new rule for the WAN interface, with the source as the /26 network, and selected No NAT.  I switched it over to hybrid, and made sure the server was still online and that NAT was disabled for it (using a cURL command to send a request to a public IP return service).  My backup LAN device still wasn't able to get out, but I looked down at the automatic rules and noticed that even though they included the LAN network in the source (all interface networks, actually), they were set for only the WAN interface.  I created a new rule on the LAN interface with the LAN network as the source, and selected Interface Address for the translation address.  Now the LAN device can get out on the main IP and the public routed subnet works fine also.

    Thanks, this was helpful.