NAT on "LAN" interface



  • Hello everyone,

    Got an interesting scenario that I just can't figure out. The tldr is I need one of the lan ports of the pfsense to act as a WAN port to a downstream firewall. So:

    ISP 2.x.x.x
    |
    |
    pfSense WAN 2.x.x.251
    |
    |
    pfSense LAN2 10.10.10.1
    |
    |
    3rd party Firewall WAN 10.10.10.101
    |
    3rd party Firewall LAN 172.16.0.1
    |
    Client 172.16.0.x

    The client can't reach any ip beyond 172.16.0.1, which is the inside interface of the 3rd party FW. The FW itself can ping all the way to the internet, as can any client I place on the LAN2 interface. In the pfSense log, I see the FW dropping all the "natted" packets. So for example 10.10.10.101 to 8.8.8.8 is dropped. Now this packet was not initiated by the 3rd party FW, but by the client behind it (PAT is configured on 3rd FW outside int).

    I've configured wide open "any,any" rules. I've also confirmed this is only happening for packets that are translated by the 3rd FW.

    Any ideas? TIA!



  • For whatever funky reason, a reboot fixed this issue. Looks like the allow any any rules were not being loaded correctly.