Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    some help on an NAT / Firewall rule.

    Scheduled Pinned Locked Moved NAT
    5 Posts 2 Posters 745 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mr_jack
      last edited by mr_jack

      Hi all,

      Long story.

      I'm looking for a nat solution and if needed an firewall rule for this situation :

      desktop - nic 1 - 192.168.1.1 / 24 - no gateway placed on interface ( this is bound to an PCL and cannot be changed ).
      - nic 2 - 192.168.2.200 /24 - no gateway placed on interface ( this is used for outbound traffic )
      added static route 0.0.0.0 to 192.168.2.100

      pfsense - lan - 192.168.1.161
      - lan vip - 192.168.2.100
      added nat & firewall rules to allow traffic to / from 192.168.2.x segment.

      The desktop can reach the 192.168.1.x segment and the internet.

      However to make it somewhat complicated the PCL application needs to send e-mail, to our internal smtp host ( 192.168.1.101 ).
      We used to add an static route for 192.168.1.101 to the 192.168.2.100 which works, however it takes a few second to use this route ( it searches for the .101 on the nic 1 first )
      By then the application didn't sent the e-mail anymore.

      What we did was an workaround so that the desktop didn't have to 'think' about the route was to use nat to sent to a different internal ip and then translate this to the real ip.
      On the old Sophos we had DNAT rule like this traffic from 192.168.2.200 -- any -- to 192.168.3.101 -- action change destination 192.168.1.101 .

      0_1528380454939_sophos_nat.PNG

      This worked without the few seconds delay and the application was able to sent the e-mail(s).

      Now I can't seem to reproduce that NAT rule on the pfSense.

      Any advice or pointers would be appriciated .

      Thank you in advance,

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by johnpoz

        What is that interface from - sure doesn't look like any version of pfsense I recall. Oh thats your sophos box - not sure how we are support to understand what your doing exactly when you don't call out what dvsubxxx equals

        You seem to have a mess

        pfsense - lan - 192.168.1.161

        • lan vip - 192.168.2.100

        Why are you running multiple layer 3 on the same layer 2? If you device wanting to send email has an IP in the 192.168.1 it wouldn't need a route or gateway to talk to 192.168.1.x

        Why don't you draw this up how you have everything connected and we can work out what your doing wrong or what sort of nat you might need to get it to work.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • M
          mr_jack
          last edited by

          Hello Johnpoz,

          Thank you for the reply.

          Yes it's a mess, but not by choice :).

          The reason is that the nic 1 is connected directly to the PLC and the ip address can't be changed.
          However the internal network is also 192.168.1.x and... can't be changed..

          Anyway, it's fixed, by applying the same NAT rules as on the old Sophos box, we just had to figure out on how to do this on pfSense.

          But again not ideal and or great. But you can't have it all @customers :).

          Thanks !

          Cheers,

          Jack

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            @mr_jack said in some help on an NAT / Firewall rule.:

            However the internal network is also 192.168.1.x and… can’t be changed…

            I don't buy that to be honest.. But whatever if you have working no point in beating a dead subject.

            All devices that have an IP can be changed, it just comes down to how much effort your willing to put into it is all.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            M 1 Reply Last reply Reply Quote 0
            • M
              mr_jack @johnpoz
              last edited by

              @johnpoz

              That's true, I also think that it can be changed. But if the vendor says it can't and the customer doesn't want to jump through hoops... I'm done.

              Again thank you very much for the time. I appreciate that.

              Cheers,

              Jack.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.