Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Moving from Cisco to pfSense

    Scheduled Pinned Locked Moved Routing and Multi WAN
    5 Posts 3 Posters 713 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      cusd2tech
      last edited by cusd2tech

      We have a static 66.xx.xx.xx /30 IP on the gateway of our Cisco 1941 router, our ISP has routed a 216.xx.xx.xx /28 subnet to that IP which we use for some public-facing services.

      This is how we accomplish this in Cisco-speak.

      ip nat inside source static 192.168.5.11 xxx.yyy.16.50 extendable
      ip nat inside source static 192.168.5.41 xxx.yyy.16.51 extendable
      ip nat inside source static 192.168.5.42 xxx.yyy.16.52 extendable
      ip nat inside source static 192.168.5.3 xxx.yyy.16.55 extendable

      On our XG-7100 1U we tried setting up Virtual IPs on the WAN for each of the /28 IPs that we're using, created 1:1 NAT and then allow/deny Rules for the ports as as appropriate based on the Cisco ACLs. But when testing from an external address we were unable to access the desired resources via the public IP.

      What could we be missing?

      TIA

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by johnpoz

        you didn't set the nat's correctly. You didn't setup the vips correctly. The IP on your pfsense is wrong and /28 is not routed to you, you didn't create a firewall rule on your want to allow the traffic to the rfc1918 you setup the 1:1 nat too, etc.

        Without you posting what you actually did vs what you said you did there is no way to try and figure out where you want wrong or what is wrong.

        Did you sniff and make sure the IPs in the /28 actually getting to pfsense wan?

        If the network is actually routed to you - why are you wanting to nat it with vips. Why not just use that network behind?

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • C
          cusd2tech
          last edited by

          We could indeed see the inbound traffic into the appliance but were having an issue with the NAT. After extensive searching and experimentation we found a configuration using port forwarding and NAT+Proxy that works for us. When we set up with routed IPs individually with /24 instead of /28 (as they are routed to us) or as /32 things finally fell into place and allowed us to replicate what we were doing on the old Cisco box with much better performance and added functionality.

          Thanks

          1 Reply Last reply Reply Quote 0
          • K
            kpa
            last edited by kpa

            @cusd2tech, I think you completely missed the point of what @johnpoz was asking. If the /28 is routed to you with the WAN address of pfSense as the target of the subnet there is zero reason to use NAT of any kind, you can just pick an address from the /28 for the LAN interface of pfSense and use the rest of the /28 on the LAN host as /28s, not as/24s or /32s mind you.

            1 Reply Last reply Reply Quote 0
            • C
              cusd2tech
              last edited by

              I understood. However the recent setup was a static NAT translation to the private IP on the three devices on the LAN with ACL controls. Ideally we'd have a different setup and we'll certainly be changing the network topology (and reconfiguring the affected servers) in the future, but we just needed to quickly replicate the existing router setup to meet immediate needs and address the sanity of the network design as time goes on. The Cisco could not support our new 1G fiber connection and the XG-7100 handles it with ease. Sure, it's not the best setup. But it's working.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.