1:1 NAT = No Internet



  • Previous pFsense Firewall (version: 2.3.2-RELEASE-p1) was getting 10MbpsD/4MbpsU instead of 40/20. The Firewall was originally configured with CARP to another pFsense Node was have since turned off, but did not replace. So CARP is still enabled. Anyhow, it was determined that the pFsense was indeed bottling the connection down. Could be MTU (at default), Bad Port, or ?? In any case, I wanted to setup a new appliance and replace the current (also remove CARP for now).

    Setup new pFsense and upgrade to 2.3.4
    Setup WAN with Static Block #1 (70.x.x.x /28) and configure Cox Gateway (70.x.x.1)
    We have a 2nd Static Block coming through same WAN (182.x.x.x /28). Not sure where to configure except as a Virtual IP which I have yet to do
    Setup LAN, Aliases, Firewall Rules, and 1:1 NAT (Including some Outbounds NATs)

    At first, I couldn't reach the Internet. This was due to an Outbound NAT taking 10.0.1.0/24 traffic and translating as the WAN IP. Not sure why this was made, but deleted after realizing. LAN hits Internet now.
    However, 1:1 NAT'd objects do not hit Internet. If I disable the 1:1 NAT, no issues hitting Internet.
    This includes External IPs from the same WAN subnet (70.x.x.x/28).

    I am trying to wrap my head why the 1:1 NAT would cause loss of internet. No other Outbound NATs are configured that might block it.


  • LAYER 8 Netgate

    1:1 takes precedence over outbound NAT.

    You are probably going to have to post what you have done instead of a description of that you think you have done.

    We have a 2nd Static Block coming through same WAN (182.x.x.x /28). Not sure where to configure except as a Virtual IP which I have yet to do

    Is that routed to an address on 70.x.x.x /28 or is it somehow on the same interface.

    If it is routed you can do anything you want with it. Use it as VIPs. Put it (or a portion of it) on an inside interface, disable NAT, and assign addresses from it directly to inside servers. Route it (or a portion of it) somewhere downstream.

    If it is not routed and you are not yet using it, I would ask them to change it. There are no downsides and lots of upsides to having a routed subnet.


Log in to reply