PFSense without NAT: no internet connectivity from LAN



  • Hello all,

    I'm working on my homelab which consists out a few development machines, test servers and server that are being made available to other over the internet. The most of them will be running on my main VMWare vSphere machine, and that is where my pfSense machines is going to reside as well. I have some basic network knowledge, but that is not enough to setup pfSense so far.

    The idea's is to seperate machine groups in different networks to reduce security risks by creating network based firewall rules:
    192.168.10.0/24: LAN, for normal machines
    192.168.20.0/24: DEV, for dev/test machines
    192.168.30.0/24: SRV, for servers made available to the internet

    The sad thing however, is that my public IP ip is being handled by my ISP modem/router, which also handles NAT. I know it is possible to get grid of that device and let pfSense handle all that, but since I can't guaranty my pfSense/homelab setup I would like to keep that device up and running for now. The ISP router is creating NAT-ed network 192.168.1.0/24 (and 192.168.2.0/24 for IPTV).

    To make it visual, this is how the current setup looks like:

    (Clickable)

    What I did to set up up:
    1. Install pfSense and update it to the lastest version: 2.3.3-RELEASE-p1 (amd64)
    2. Assigned and configures interfaces
    3. Disabled NAT (since double NAT seems a very bad idea to me)
    4. Added allow any rules in the firewall
    5. Installed the RIP package and enabled it with RIP v1

    What is working:
    TEMP PC1 has working internet access
    TEMP PC1 (192.168.1.73) can ping WIN-LAN01 (192.168.10.100)
    WIN-LAN01 (192.168.10.100) can ping TEMP PC1 (192.168.1.73)
    WIN-LAN01 (192.168.10.100) can acces webserver on TEMP PC1 (192.168.1.73)
    TEMP PC1 (192.168.1.73) can access fileshare on WIN-LAN01 (192.168.10.100)
    WIN-LAN01 (192.168.10.100) can resolve DNS using pfSense DNS forwarder (running on 192.168.10.1)
    pfSense can ping 192.168.1.1, 8.8.8.8 fine as long as the pings are coming from that device and not a LAN segment (LAN/DEV/SRV).

    What is not working:
    WIN-LAN01 (192.168.10.100) can not access the internet
    WIN-LAN01 (192.168.10.100) can not ping 8.8.8.8
    WIN-LAN01 (192.168.10.100) can not ping 192.168.1.1
    WIN-LAN01 (192.168.10.100) can not complete traceroute to google

    What did I try:
    I'm expecting it is some routing issue, since 'WAN' to 'LAN' routing seems to be working fine, but going one hop further (the internet) does not. NAT is disabled on the pfSense so I'm not expecting that to be an issue as well. I also tried:
    1. Enableing RIP to propagate routing tables between routers (still enabled).
    2. Enabled "Bypass firewall rules for traffic on the same interface" (disabled now)
    3. Enabled "Disable all packet filtering." to make sure it was not the firewall (still enabled: firewall is disabled)

    Diagnostics info:
    ISP Router
    LAN settings
    [Routing table]http://i.imgur.com/8EiNmhV.png]Routing table](http://i.imgur.com/8EiNmhV.png)
    Traceroute: ISP LAN to pfSense LAN

    pfSense Router
    Interfaces
    Interface: WAN
    Interface: LAN
    Firewall NAT
    Installed packages
    RIP configuration
    Routing table
    Traceroute: WAN to Google (ok)
    Traceroute: LAN to Google (error)

    Looks like data is being routed from the ISP LAN to the PFSense LAN just fine. Traceroute from PFSense LAN also confirms that the packets are being sent to my ISP Router. Looks like data is being forwarded to my ISP Router (gateway) and dropped there on the way out, or on the way to the PFSense Router.
    What am I forgetting or doing wrong in my pfSense router (or my ISP router)?


  • LAYER 8 Global Moderator

    And did you setup your ISP router to nat these networks?  Since your not natting them on pfsense?  You also have a asymmetrical setup here for devices to to and with devices in your lab..

    192.168.10.0/24: LAN, for normal machines
    192.168.20.0/24: DEV, for dev/test machines
    192.168.30.0/24: SRV, for servers made available to the internet

    Your best solution here is to just put your isp modem/router into bridge mode and use pfsense as your edge router/firewall.  Or just double nat..  I have yet to see a soho gateway from an ISP that allows you to nat other networks other than the one that is its lan, etc.


Log in to reply