Help With Outbound NAT (I think)



  • I'm setting up pfsense for the very first time. Zero experience. I think my problem pertains to outbound NAT but I'm not certain.

    The LAN subnet is 10.7.2.0/24 and works fine but there is a group of devices on the network on 10.7.3.0/24 and these devices cannot access the Internet.

    What needs to be configured to allows access?



  • Only the LAN interface gets a default Allow All to Any rule.  All other internal interfaces must have a rule added.



  • @KOM:

    Only the LAN interface gets a default Allow All to Any rule.  All other internal interfaces must have a rule added.

    So do I have to create an interface for the 10.7.3.0/24 network or just a NAT rule? It's not clear to me where to set this up.

    I tried creating a new outbound NAT rule for the WAN with source 10.7.3.0/24 but it didn't work.



  • You would typically have a separate interface for the other LAN (OPT1, OPT2 etc) or at least some VLANs if you just have the one internal interface.  The devices at 10.7.3.x, do they have pfSense as their gateway?


  • LAYER 8 Global Moderator

    So this 10.7.3.0/24 is another vlan?  You have a downstream router?  Or your saying you run multiple layer 3 networks over the same layer 2?



  • @KOM:

    You would typically have a separate interface for the other LAN (OPT1, OPT2 etc) or at least some VLANs if you just have the one internal interface.  The devices at 10.7.3.x, do they have pfSense as their gateway?

    Yes, they have pfsense as the gateway.



  • @johnpoz:

    So this 10.7.3.0/24 is another vlan?  You have a downstream router?  Or your saying you run multiple layer 3 networks over the same layer 2?

    There are a couple of VLANs (10.7.10.0 and 10.7.11.0) which are working great.
    The 10.7.3.0 is not a VLAN. It is, as you said, layer 3 over the same layer 2.

    At one point I believe it was configured as a /16 network (10.7.0.0/16) but was later split. It worked fine with the Sophos UTM that this pfsense is replacing.


  • LAYER 8 Global Moderator

    "The 10.7.3.0 is not a VLAN. It is, as you said, layer 3 over the same layer 2."

    That is BROKEN setup - fix it, make it a vlan or change your mask to be /23 to cover your 2 /24 your running.  Running 2 different layer 3 on same layer 2 is BORKED and needs to be corrected.

    10.7.2.0/23 covers your range 10.7.2.1 to 10.7.3.254



  • @johnpoz:

    "The 10.7.3.0 is not a VLAN. It is, as you said, layer 3 over the same layer 2."

    That is BROKEN setup - fix it, make it a vlan or change your mask to be /23 to cover your 2 /24 your running.  Running 2 different layer 3 on same layer 2 is BORKED and needs to be corrected.

    10.7.2.0/23 covers your range 10.7.2.1 to 10.7.3.254

    Thank you. Clearly I need to study up on subnetting.
    I will work on this today and see where it goes.


Log in to reply