Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Basic question regarding switched off NAT: Ping reqest to WAN fails

    Scheduled Pinned Locked Moved NAT
    10 Posts 3 Posters 798 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      lulu
      last edited by

      Hello,

      Sorry, this is a newbie question. Here is the setup:

      LAN (192.168.5.X) -> Pfsense LAN1 (192.168.5.1) Pfsense WAN1 (192.168.2.2) -> WAN (192.168.2.X)

      The Gateway of the WAN is 192.168.2.1, a router connected to the internet.

      So WAN is rather a DMZ.

      Connection is fine with NAT, but when I switch off NAT, pings from LAN to WAN seem to arrive at the destination, but when the destination tries to reply, pfsense sends "host not reachable".

      Which makes sense, because there is no route from WAN to LAN. But there is no possibility to route in this direction in pfsense, is there? So how can a network been set up without NAT?

      All help is appreciated!

      Some more information: There are no firewall logs when I turn of NAT and try to ping from LAN to WAN and if I turn off NAT and firewall altoghether, the effect stays the same: No connection from LAN to WAN.

      Lulu

      1 Reply Last reply Reply Quote 0
      • V
        viragomann
        last edited by

        @lulu:

        Connection is fine with NAT, but when I switch off NAT, pings from LAN to WAN seem to arrive at the destination, but when the destination tries to reply, pfsense sends "host not reachable".

        Which makes sense, because there is no route from WAN to LAN. But there is no possibility to route in this direction in pfsense, is there? So how can a network been set up without NAT?

        You need a route on the router in front of pfSense for the networks behind it pointing to pfSense.

        Since you have switched off NAT, upstream packets from your LAN arrive with their LAN source address at your router. Now the router must know the route to the LAN to direct responses back to pfSense WAN address.

        1 Reply Last reply Reply Quote 0
        • L
          lulu
          last edited by

          Hello,

          Thank you. Unfortunately that router is merely a DSL-Modem and does not have such facilities. Anyway, I doubt that when it sends a packet with an 192.168.5.X address to the pfsense interface with 192.168.2.2, that this interface would accept it.

          And I saw a ICMP "host not reachable" message being sent from 192.168.2.2 to the pinged host, so the ping response seemed to have arrived there already.

          Can't we teach that interface to accept such packages and route them on?

          Kind regards,

          lulu

          1 Reply Last reply Reply Quote 0
          • V
            viragomann
            last edited by

            @lulu:

            Anyway, I doubt that when it sends a packet with an 192.168.5.X address to the pfsense interface with 192.168.2.2, that this interface would accept it.

            Surely it does, if that network is behind pfSense and the packets are responses or you have a firewall rule allowing them, if they're Syn packets.

            @lulu:

            Can't we teach that interface to accept such packages and route them on?

            There is no need to teach pfSense anything here. If the packets doesn't reach its interface, pfSense cannot do anything for that communication.

            So activate NAT again and ensure your outbound NAT is in automatic mode. So pfSense will nat source addresses from LAN devices to its WAN address when they are sent to the upstream gateway and responses will be directed back to pfSense WAN address and pfSense will forward the packets to the LAN device.

            1 Reply Last reply Reply Quote 0
            • L
              lulu
              last edited by

              Thank you very much.
              So do I understand right:

              (i leave out the 192.168)

              .5.1 sends a ping request to .2.51. This one sends the response to .2.1 (instead to 2.2. where it came from), because .2.1 is its gateway. .2.1 doesn't know the .5.X network and says "host unreachable".

              Well, it seems I have not known too much about networks so far.

              Can I give the "router modem" a network of 192.168.X.X instead of 192.168.2.X so that it sends the response back to pfsense?

              Kind regards,

              lulu

              1 Reply Last reply Reply Quote 0
              • V
                viragomann
                last edited by

                So you have a network with multiple devices between pfSense WAN and the router?
                My suggestion obtained to internet access as you requested.

                Responses from other devices will have limited benefit from the static route which is set on the router. You will need a static route on each device in the WAN network for correct routing. Otherwise you will get an asymmetric routing, cause requests from the LAN behind pfSense are sent directly to the WAN net device while responses are sent to the router and directed back to pfSense.

                @lulu:

                Can I give the "router modem" a network of 192.168.X.X instead of 192.168.2.X so that it sends the response back to pfsense?

                ?
                So that you have a unique subnet on both, WAN and LAN interfaces on pfSense?
                You may bridge the interfaces to achieve this. Don't know if that is what you accomplish.

                1 Reply Last reply Reply Quote 0
                • L
                  lulu
                  last edited by

                  Thank you very much. My idea does not work anyway, because the router only supports class C networks. So I will switch automatic NAT on again and try to obtain what I need in another way.

                  The source of the problem is a SIP server in the LAN which does not work (problably) due to NAT - it is typical, signaling works, but no audio. The setup works when the SIP server ist in the WAN (between pfsense and the router).

                  I hoped to get around this by switching off NAT, but you have convinced my that this is not the right way. I'll now try to set up a virtual IP in the WAN and an 1:1 NAT from the SIP server to this IP - maybe this helps.

                  Kind regards,

                  lulu

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator
                    last edited by

                    Why do you not just put pfsense at the edge?  Get rid of the router you have in front of pfsense?

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    1 Reply Last reply Reply Quote 0
                    • L
                      lulu
                      last edited by

                      Because there is no DSL on my pfsense box. I would have to buy and set up DSL modems - a thing I have never done. I really would like to keep the router which comes from my ISP who also provides service and updateds, so that at least that part of the setup is well-known to me.

                      1 Reply Last reply Reply Quote 0
                      • johnpozJ
                        johnpoz LAYER 8 Global Moderator
                        last edited by

                        Well then just double nat everything, and what your calling your wan behind pfsense.. Then your router in front of pfsense doesn't have to route.. Just put pfsense in the dmz of that router..

                        Your isp does not support putting their device in bridge mode?  So pfsense becomes the edge and gets a public IP on its wan?

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.