V1.2.1 NAT (with VLAN) problems



  • Hello,

    I'm about to replace some old hardware with a new box with Pfsense v1.2.1, but there are a few strange problems.

    What I've got is two NICs: WAN, LAN and 24 VLANS interfaces. VLAN 1-23 are each on their own private RFC1918 networks and VLAN24 is the interface for Internet traffic. I've got a official /28 public network, which is attached to VLAN24.

    My problem, most of the private VLANs are going to have NAT for the Internet communication and I have enable one public address as dedicated for most of the private nets. I have registered (under firewall virtual IPs all the public addresses that are going to be used for NAT).

    The problem is, when setting up a rule, e.g. 10.0.0.0/16 <=> NAT <=> [public virtual IP] <=> [Internet traffic], the NAT doesn't seem with the virtual IP address unless I manually register it as an IP alias (with ifconfig) on VLAN24, then the NAT works instantly. The strange thing is that if I remove it with ifconfig it still works, it really seems as it need to be set as an alias for the inference once to get it to work. Does any know why this is? Is it some kind of bug?

    Please also notice that I have another public NAT IP for one specific private VLAN network, this public address is registered as VLAN24's IP and is always working. It just seems as there are problem with the firewall virtual IP when using them for NAT on an VLAN interface.

    Any help/idea is greatly appreicated.



  • What i know definitly works:
    Multipel VLAN's all on the same interface NATed to VIP's
    maybe you could show the AoN rules you created.
    Are you using CARP VIP's ?

    I usually try to avoid having the WAN on a VLAN interface.
    Since you say you have 2 Interfaces couldnt you set it up:
    1: WAN-interface
    2: VLAN-Interface
    Also make sure that you dont have the VLAN-interface assigned as a normal interface.



  • Sounds like you aren't adding virtual IPs.



  • @cmb:

    Sounds like you aren't adding virtual IPs.

    I've added all the IP addresses in the virtual IP address management page. They were added as Proxy ARP. They are clearly available when setting up the different NAT rules for outbound traffic in the NAT management page.

    As I said, for some reason they don't work unless I manually attach the official NAT-ed IP to the outbound Internet traffic device (VLAN23 in my case), e.g.:

    ifconfig vlan23 80.xx.xx.xx/32 alias

    and the NAT works instantly, and the strange thing is that it still works if I remove it from the interface:

    ifconfig vlan23 80.xx.xx.xx -alias



  • This might be an arp cache issue with the next router upstream from your pfSense box. Try rebooting it (if possible) after adding the VIPs.



  • I'm not sure that's the case, if I reboot the pfsense box (after getting the NAT working), I need to preform my procedure as mentioned in my last post..


Locked