Problems with outbout NAT



  • Hi,

    I'm installing a firewall with pfSense 2.4.3-RELEASE-p1, the network topology is the next one:

    • LAN Interface: IP: 172.16.108.6 Netmask: /24
    • WAN Interface: IP: Netmask: 210.132.25.0/29 (I think that it's a transit IP range)
      Other WAN Public IPs: 85.129.117.0/25

    The target is that all the IPs under LAN IP range 172.16.108.0/24 go to internet with an IP from the range 85.129.117.0/25 (for example 85.129.117.125).

    If I doesn't define any outbound NAT rule, Internet works fine for all the IPs under the LAN range.

    If I define a outbound NAT, for this network, asigning an IP from range 85.129.117.0/25, Internet stops working for all the IPs under LAN Network.

    For this, I create an outbound NAT rule for LAN Subnet with a Virtual IP ( 85.129.117.125 ), with all ports, all services and all destinations, but as soon as I enable it, Internet stops working.

    I don't have too much experience with NAT, but in an old firewall is working fine. What could be the problem?

    Thanks in advance


  • Rebel Alliance Global Moderator

    So this /25 is routed too you.. And you want to use them as VIPs on your wan so you can nat to them. You created the vip - can you then ping the vip from the outside? Maybe your ISP is not routing /25 too you?



  • No, I can't ping from outside to this IP. Could this be the problem? That my ISP isn't routing this IP to mine firewall?

    I'm only testing for moving my old Stonegate to pfSense, so it's possible that they're routing to Stonegate and because of this isn't working in pfSense?

    Thanks!


  • Rebel Alliance Global Moderator

    If you create a vip and then set firewall to allow ping to that vip.. Then yeah you should be able to ping the vip.. Should be routed to you atleast. Simple sniff should show you the pings on your wan even without a vip if the network is routed to your transit IP.

    Or maybe your ISP just connected this network to you, and its not really routed? If that was the case then you might not see a ping unless your ISP arps for the IP and gets an answer - ie you had created the vip.



  • I'm sorry in my first post, I didn't forget the Transit IP range correctly, it's:
    WAN IP: 210.132.25.82 . Gateway is 210.132.25.86. Network: 210.132.25.0/29

    I've made a packet capture in WAN while I was pinging to the IP:
    13:15:37.841652 IP 210.132.25.82 > 210.132.25.86: ICMP echo request, id 29127, seq 6764, length 8
    13:15:37.842273 IP 210.132.25.86 > 210.132.25.82: ICMP echo reply, id 29127, seq 6764, length 8
    13:15:38.097161 IP 210.132.25.84 > 224.0.0.18: VRRPv2, Advertisement, vrid 209, prio 110, authtype none, intvl 1s, length 20
    13:15:38.359044 IP 210.132.25.82 > 210.132.25.86: ICMP echo request, id 29127, seq 6765, length 8
    13:15:38.359606 IP 210.132.25.86 > 210.132.25.82: ICMP echo reply, id 29127, seq 6765, length 8
    13:15:38.653398 STP 802.1d, Config, Flags [none], bridge-id 8002.00:1e:4a:a6:97:40.80ad, length 43
    13:15:38.899883 IP 210.132.25.82 > 210.132.25.86: ICMP echo request, id 29127, seq 6766, length 8
    13:15:38.900491 IP 210.132.25.86 > 210.132.25.82: ICMP echo reply, id 29127, seq 6766, length 8
    13:15:39.078455 IP 210.132.25.84 > 224.0.0.18: VRRPv2, Advertisement, vrid 209, prio 110, authtype none, intvl 1s, length 20
    13:15:39.429650 IP 210.132.25.82 > 210.132.25.86: ICMP echo request, id 29127, seq 6767, length 8
    13:15:39.430612 IP 210.132.25.86 > 210.132.25.82: ICMP echo reply, id 29127, seq 6767, length 8
    13:15:39.959031 IP 210.132.25.82 > 210.132.25.86: ICMP echo request, id 29127, seq 6768, length 8
    13:15:39.959527 IP 210.132.25.86 > 210.132.25.82: ICMP echo reply, id 29127, seq 6768, length 8
    13:15:40.071803 IP 210.132.25.84 > 224.0.0.18: VRRPv2, Advertisement, vrid 209, prio 110, authtype none, intvl 1s, length 20
    13:15:40.487849 IP 210.132.25.82 > 210.132.25.86: ICMP echo request, id 29127, seq 6769, length 8
    13:15:40.488521 IP 210.132.25.86 > 210.132.25.82: ICMP echo reply, id 29127, seq 6769, length 8
    13:15:40.653472 STP 802.1d, Config, Flags [none], bridge-id 8002.00:1e:4a:a6:97:40.80ad, length 43
    13:15:40.990517 IP 210.132.25.84 > 224.0.0.18: VRRPv2, Advertisement, vrid 209, prio 110, authtype none, intvl 1s, length 20
    13:15:41.029129 IP 210.132.25.82 > 210.132.25.86: ICMP echo request, id 29127, seq 6770, length 8
    13:15:41.029794 IP 210.132.25.86 > 210.132.25.82: ICMP echo reply, id 29127, seq 6770, length 8
    13:15:41.559094 IP 210.132.25.82 > 210.132.25.86: ICMP echo request, id 29127, seq 6771, length 8
    13:15:41.559614 IP 210.132.25.86 > 210.132.25.82: ICMP echo reply, id 29127, seq 6771, length 8
    13:15:41.878782 IP 210.132.25.84 > 224.0.0.18: VRRPv2, Advertisement, vrid 209, prio 110, authtype none, intvl 1s, length 20
    13:15:42.100355 IP 210.132.25.82 > 210.132.25.86: ICMP echo request, id 29127, seq 6772, length 8
    13:15:42.100952 IP 210.132.25.86 > 210.132.25.82: ICMP echo reply, id 29127, seq 6772, length 8
    13:15:42.641750 IP 210.132.25.82 > 210.132.25.86: ICMP echo request, id 29127, seq 6773, length 8
    13:15:42.642407 IP 210.132.25.86 > 210.132.25.82: ICMP echo reply, id 29127, seq 6773, length 8
    13:15:42.653951 STP 802.1d, Config, Flags [none], bridge-id 8002.00:1e:4a:a6:97:40.80ad, length 43
    13:15:42.698614 IP 210.132.25.84 > 224.0.0.18: VRRPv2, Advertisement, vrid 209, prio 110, authtype none, intvl 1s, length 20
    13:15:43.159584 IP 210.132.25.82 > 210.132.25.86: ICMP echo request, id 29127, seq 6774, length 8
    13:15:43.160132 IP 210.132.25.86 > 210.132.25.82: ICMP echo reply, id 29127, seq 6774, length 8
    13:15:43.574746 IP 210.132.25.84 > 224.0.0.18: VRRPv2, Advertisement, vrid 209, prio 110, authtype none, intvl 1s, length 20
    13:15:43.700367 IP 210.132.25.82 > 210.132.25.86: ICMP echo request, id 29127, seq 6775, length 8
    13:15:43.700939 IP 210.132.25.86 > 210.132.25.82: ICMP echo reply, id 29127, seq 6775, length 8
    13:15:44.241730 IP 210.132.25.82 > 210.132.25.86: ICMP echo request, id 29127, seq 6776, length 8
    13:15:44.244950 IP 210.132.25.86 > 210.132.25.82: ICMP echo reply, id 29127, seq 6776, length 8
    13:15:44.575652 IP 210.132.25.84 > 224.0.0.18: VRRPv2, Advertisement, vrid 209, prio 110, authtype none, intvl 1s, length 20
    13:15:44.654559 STP 802.1d, Config, Flags [none], bridge-id 8002.00:1e:4a:a6:97:40.80ad, length 43
    13:15:44.759038 IP 210.132.25.82 > 210.132.25.86: ICMP echo request, id 29127, seq 6777, length 8
    13:15:44.759681 IP 210.132.25.86 > 210.132.25.82: ICMP echo reply, id 29127, seq 6777, length 8
    13:15:45.300334 IP 210.132.25.82 > 210.132.25.86: ICMP echo request, id 29127, seq 6778, length 8
    13:15:45.301107 IP 210.132.25.86 > 210.132.25.82: ICMP echo reply, id 29127, seq 6778, length 8
    13:15:45.401977 IP 210.132.25.84 > 224.0.0.18: VRRPv2, Advertisement, vrid 209, prio 110, authtype none, intvl 1s, length 20
    13:15:45.841716 IP 210.132.25.82 > 210.132.25.86: ICMP echo request, id 29127, seq 6779, length 8
    13:15:45.842524 IP 210.132.25.86 > 210.132.25.82: ICMP echo reply, id 29127, seq 6779, length 8

    Thanks.



  • And the IP 85.129.117.125 isn't appearing in this log.