Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PFSense without NAT: no internet connectivity from LAN

    Scheduled Pinned Locked Moved Routing and Multi WAN
    2 Posts 2 Posters 2.2k Views 1 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T Offline
      TimH
      last edited by

      Hello all,

      I'm working on my homelab which consists out a few development machines, test servers and server that are being made available to other over the internet. The most of them will be running on my main VMWare vSphere machine, and that is where my pfSense machines is going to reside as well. I have some basic network knowledge, but that is not enough to setup pfSense so far.

      The idea's is to seperate machine groups in different networks to reduce security risks by creating network based firewall rules:
      192.168.10.0/24: LAN, for normal machines
      192.168.20.0/24: DEV, for dev/test machines
      192.168.30.0/24: SRV, for servers made available to the internet

      The sad thing however, is that my public IP ip is being handled by my ISP modem/router, which also handles NAT. I know it is possible to get grid of that device and let pfSense handle all that, but since I can't guaranty my pfSense/homelab setup I would like to keep that device up and running for now. The ISP router is creating NAT-ed network 192.168.1.0/24 (and 192.168.2.0/24 for IPTV).

      To make it visual, this is how the current setup looks like:

      (Clickable)

      What I did to set up up:
      1. Install pfSense and update it to the lastest version: 2.3.3-RELEASE-p1 (amd64)
      2. Assigned and configures interfaces
      3. Disabled NAT (since double NAT seems a very bad idea to me)
      4. Added allow any rules in the firewall
      5. Installed the RIP package and enabled it with RIP v1

      What is working:
      TEMP PC1 has working internet access
      TEMP PC1 (192.168.1.73) can ping WIN-LAN01 (192.168.10.100)
      WIN-LAN01 (192.168.10.100) can ping TEMP PC1 (192.168.1.73)
      WIN-LAN01 (192.168.10.100) can acces webserver on TEMP PC1 (192.168.1.73)
      TEMP PC1 (192.168.1.73) can access fileshare on WIN-LAN01 (192.168.10.100)
      WIN-LAN01 (192.168.10.100) can resolve DNS using pfSense DNS forwarder (running on 192.168.10.1)
      pfSense can ping 192.168.1.1, 8.8.8.8 fine as long as the pings are coming from that device and not a LAN segment (LAN/DEV/SRV).

      What is not working:
      WIN-LAN01 (192.168.10.100) can not access the internet
      WIN-LAN01 (192.168.10.100) can not ping 8.8.8.8
      WIN-LAN01 (192.168.10.100) can not ping 192.168.1.1
      WIN-LAN01 (192.168.10.100) can not complete traceroute to google

      What did I try:
      I'm expecting it is some routing issue, since 'WAN' to 'LAN' routing seems to be working fine, but going one hop further (the internet) does not. NAT is disabled on the pfSense so I'm not expecting that to be an issue as well. I also tried:
      1. Enableing RIP to propagate routing tables between routers (still enabled).
      2. Enabled "Bypass firewall rules for traffic on the same interface" (disabled now)
      3. Enabled "Disable all packet filtering." to make sure it was not the firewall (still enabled: firewall is disabled)

      Diagnostics info:
      ISP Router
      LAN settings
      [Routing table]http://i.imgur.com/8EiNmhV.png]Routing table](http://i.imgur.com/8EiNmhV.png)
      Traceroute: ISP LAN to pfSense LAN

      pfSense Router
      Interfaces
      Interface: WAN
      Interface: LAN
      Firewall NAT
      Installed packages
      RIP configuration
      Routing table
      Traceroute: WAN to Google (ok)
      Traceroute: LAN to Google (error)

      Looks like data is being routed from the ISP LAN to the PFSense LAN just fine. Traceroute from PFSense LAN also confirms that the packets are being sent to my ISP Router. Looks like data is being forwarded to my ISP Router (gateway) and dropped there on the way out, or on the way to the PFSense Router.
      What am I forgetting or doing wrong in my pfSense router (or my ISP router)?

      1 Reply Last reply Reply Quote 1
      • johnpozJ Offline
        johnpoz LAYER 8 Global Moderator
        last edited by

        And did you setup your ISP router to nat these networks?  Since your not natting them on pfsense?  You also have a asymmetrical setup here for devices to to and with devices in your lab..

        192.168.10.0/24: LAN, for normal machines
        192.168.20.0/24: DEV, for dev/test machines
        192.168.30.0/24: SRV, for servers made available to the internet

        Your best solution here is to just put your isp modem/router into bridge mode and use pfsense as your edge router/firewall.  Or just double nat..  I have yet to see a soho gateway from an ISP that allows you to nat other networks other than the one that is its lan, etc.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.