Lan2 to lan1 nat



  • hello

    scenario
    lan1-192.168.10.0/24
    lan2-192.168.20.0/24
    zimbra mail is at lan1-192.168.10.250
    alias…znat=192.168.10.1 to 192.168.10.100

    question
    how to configure such that if lan2 destination is the zimbra ip, pf will nat lan2 ip to znat

    thanks in adv


  • Banned

    Why? It's routed, no need for NAT!!!



  • somehow i want to isolate the zimbra issue, that you need to add the networks permitted to access the server…not sure if this was done properly by the admin...

    so to figure out the problem
    =ive already permited lan2 to lan1 access but no luck
    =but put the zimbra on the natted WAN and it will work


  • Banned

    Sure like hell NAT between locally connected LANs is not the way to fix Zimbra misconfiguration.


  • LAYER 8 Global Moderator

    Why would you nat between 2 networks locally attached to pfsense?  That makes zero sense..

    How are you putting your zimbra on your natted wan?

    "alias…znat=192.168.10.1 to 192.168.10.100"

    What is that even suppose to mean or do?



  • already mentioned i am isolating an issue on zimbra….routed doesnt seem to work so i wanted to try natted...

    "alias...znat=192.168.10.1 to 192.168.10.100"
    What is that even suppose to mean or do?

    =since zimbra is on lan1, anything from lan2 trying to access zimbra  will be natted to this alias


  • LAYER 8 Global Moderator

    so you want to source nat traffic coming from lan 2 to a lan 1 IP..

    While that is a viable option to talk to stuff on lan 1 from lan 2 when lan 1 something doesn't have a gateway off of lan 1..  This doesn't seem to be the case here.  Other reason you might want to do that is if lan 1 something has a local firewall that only allows lan 1 IPs to talk to it.  Again seems like an odd way to go about getting it to work.



  • Other reason you might want to do that is if lan 1 something has a local firewall that only allows lan 1 IPs to talk to it.

    =this is the very main reason why iam natting it…zimbra has to be configured to allow other networks to access it but and am not a zimbra admin so am not sure whether that was properly done or not....for isolation purposes, i thought of trying NAT



  • sorry but no such thing as local firewall aside from the pfsense interface where lan1 was attached.


  • LAYER 8 Global Moderator

    Well if zimbra only allows the local network to access it, source natting to look like your on the local network would be circumvention of the whole thing.. Seems counter productive to trying to be secure if you ask me ;)

    But is zimbra just an exchange alternative - seems given that this would allow for other networks to talk to it..  So either you don't have the ports open required from lan 2 to talk to the ports.. Or there is a network configuration issue.

    Out of the box any network attached to pfsense that is not wan will know how to talk to each other.  All that is required is firewall rules - routing would be done automatically for attached lans.

    So if lan 2 is trying to solicit the conversation to lan 1 device.  Make lan 2 rules any any - does it work, do you get back syn,ack in your attempt at conversation?  If so then something not working is related to the something your talking to an its configuration or authentication, etc.  if you get back the syn,ack then the networking is there and the firewall rules allow that traffic.

    If you do not get back a syn,ack - maybe the lan 1 zimbra never got the syn.  Or maybe he just ignored it..



  • But is zimbra just an exchange alternative - seems given that this would allow for other networks to talk to it..  So either you don't have the ports open required from lan 2 to talk to the ports.. Or there is a network configuration issue.
    =its for internal mail only

    Out of the box any network attached to pfsense that is not wan will know how to talk to each other.  All that is required is firewall rules - routing would be done automatically for attached lans.
    =ive permitted lan2 to zimbra but no luck…again permitted lan2 to whole lan1 on the rules under lan2 and still the same

    do you get back syn,ack in your attempt at conversation?  If so then something not working is related to the something your talking to an its configuration or authentication, etc.  if you get back the syn,ack then the networking is there and the firewall rules allow that traffic.
    =honestly i don know how to check this


  • Banned

    Why don't you move to some Zimbra forum? Has nothing to do with pfSense, at all.


  • LAYER 8 Global Moderator

    "=honestly i don know how to check this"

    Sniff on lan where your zimba is in pfsense on diag, packet capture.  Then try to talk to your zimba from some box on lan 2.. Do you see the SYN go out, do you see the syn,ack come back or do you just see a bunch of syn and retrans?

    This is really basic network troubleshooting 101..

    if you do not see any syn leave pfsense to your zimba box.  Does pfsense even see the syn.. Packet capture on lan 2 interface this time - repeat the test.  Does pfsense see the syn??  If not then your device on lan 2 is not sending to pfsense as its gateway, etc..

    If you see the syn come into lan 2 but not go out lan 1 - then pfsense either is not allowing the connection or is sending it elsewhere - like out your wan for example because you have maybe a gateway set on your lan 2 rules?

    Post up your rules and we can look..  Can lan 2 talk to other devices on lan 1?  If so then its a zimba thing.  Can lan 2 device ping the lan 1 IP of pfsense?


Log in to reply