Basic question regarding switched off NAT: Ping reqest to WAN fails



  • Hello,

    Sorry, this is a newbie question. Here is the setup:

    LAN (192.168.5.X) -> Pfsense LAN1 (192.168.5.1) Pfsense WAN1 (192.168.2.2) -> WAN (192.168.2.X)

    The Gateway of the WAN is 192.168.2.1, a router connected to the internet.

    So WAN is rather a DMZ.

    Connection is fine with NAT, but when I switch off NAT, pings from LAN to WAN seem to arrive at the destination, but when the destination tries to reply, pfsense sends "host not reachable".

    Which makes sense, because there is no route from WAN to LAN. But there is no possibility to route in this direction in pfsense, is there? So how can a network been set up without NAT?

    All help is appreciated!

    Some more information: There are no firewall logs when I turn of NAT and try to ping from LAN to WAN and if I turn off NAT and firewall altoghether, the effect stays the same: No connection from LAN to WAN.

    Lulu



  • @lulu:

    Connection is fine with NAT, but when I switch off NAT, pings from LAN to WAN seem to arrive at the destination, but when the destination tries to reply, pfsense sends "host not reachable".

    Which makes sense, because there is no route from WAN to LAN. But there is no possibility to route in this direction in pfsense, is there? So how can a network been set up without NAT?

    You need a route on the router in front of pfSense for the networks behind it pointing to pfSense.

    Since you have switched off NAT, upstream packets from your LAN arrive with their LAN source address at your router. Now the router must know the route to the LAN to direct responses back to pfSense WAN address.



  • Hello,

    Thank you. Unfortunately that router is merely a DSL-Modem and does not have such facilities. Anyway, I doubt that when it sends a packet with an 192.168.5.X address to the pfsense interface with 192.168.2.2, that this interface would accept it.

    And I saw a ICMP "host not reachable" message being sent from 192.168.2.2 to the pinged host, so the ping response seemed to have arrived there already.

    Can't we teach that interface to accept such packages and route them on?

    Kind regards,

    lulu



  • @lulu:

    Anyway, I doubt that when it sends a packet with an 192.168.5.X address to the pfsense interface with 192.168.2.2, that this interface would accept it.

    Surely it does, if that network is behind pfSense and the packets are responses or you have a firewall rule allowing them, if they're Syn packets.

    @lulu:

    Can't we teach that interface to accept such packages and route them on?

    There is no need to teach pfSense anything here. If the packets doesn't reach its interface, pfSense cannot do anything for that communication.

    So activate NAT again and ensure your outbound NAT is in automatic mode. So pfSense will nat source addresses from LAN devices to its WAN address when they are sent to the upstream gateway and responses will be directed back to pfSense WAN address and pfSense will forward the packets to the LAN device.



  • Thank you very much.
    So do I understand right:

    (i leave out the 192.168)

    .5.1 sends a ping request to .2.51. This one sends the response to .2.1 (instead to 2.2. where it came from), because .2.1 is its gateway. .2.1 doesn't know the .5.X network and says "host unreachable".

    Well, it seems I have not known too much about networks so far.

    Can I give the "router modem" a network of 192.168.X.X instead of 192.168.2.X so that it sends the response back to pfsense?

    Kind regards,

    lulu



  • So you have a network with multiple devices between pfSense WAN and the router?
    My suggestion obtained to internet access as you requested.

    Responses from other devices will have limited benefit from the static route which is set on the router. You will need a static route on each device in the WAN network for correct routing. Otherwise you will get an asymmetric routing, cause requests from the LAN behind pfSense are sent directly to the WAN net device while responses are sent to the router and directed back to pfSense.

    @lulu:

    Can I give the "router modem" a network of 192.168.X.X instead of 192.168.2.X so that it sends the response back to pfsense?

    ?
    So that you have a unique subnet on both, WAN and LAN interfaces on pfSense?
    You may bridge the interfaces to achieve this. Don't know if that is what you accomplish.



  • Thank you very much. My idea does not work anyway, because the router only supports class C networks. So I will switch automatic NAT on again and try to obtain what I need in another way.

    The source of the problem is a SIP server in the LAN which does not work (problably) due to NAT - it is typical, signaling works, but no audio. The setup works when the SIP server ist in the WAN (between pfsense and the router).

    I hoped to get around this by switching off NAT, but you have convinced my that this is not the right way. I'll now try to set up a virtual IP in the WAN and an 1:1 NAT from the SIP server to this IP - maybe this helps.

    Kind regards,

    lulu


  • Rebel Alliance Global Moderator

    Why do you not just put pfsense at the edge?  Get rid of the router you have in front of pfsense?



  • Because there is no DSL on my pfsense box. I would have to buy and set up DSL modems - a thing I have never done. I really would like to keep the router which comes from my ISP who also provides service and updateds, so that at least that part of the setup is well-known to me.


  • Rebel Alliance Global Moderator

    Well then just double nat everything, and what your calling your wan behind pfsense.. Then your router in front of pfsense doesn't have to route.. Just put pfsense in the dmz of that router..

    Your isp does not support putting their device in bridge mode?  So pfsense becomes the edge and gets a public IP on its wan?