Moving from Cisco to pfSense

  • We have a static 66.xx.xx.xx /30 IP on the gateway of our Cisco 1941 router, our ISP has routed a 216.xx.xx.xx /28 subnet to that IP which we use for some public-facing services.

    This is how we accomplish this in Cisco-speak.

    ip nat inside source static xxx.yyy.16.50 extendable
    ip nat inside source static xxx.yyy.16.51 extendable
    ip nat inside source static xxx.yyy.16.52 extendable
    ip nat inside source static xxx.yyy.16.55 extendable

    On our XG-7100 1U we tried setting up Virtual IPs on the WAN for each of the /28 IPs that we're using, created 1:1 NAT and then allow/deny Rules for the ports as as appropriate based on the Cisco ACLs. But when testing from an external address we were unable to access the desired resources via the public IP.

    What could we be missing?


  • LAYER 8 Global Moderator

    you didn't set the nat's correctly. You didn't setup the vips correctly. The IP on your pfsense is wrong and /28 is not routed to you, you didn't create a firewall rule on your want to allow the traffic to the rfc1918 you setup the 1:1 nat too, etc.

    Without you posting what you actually did vs what you said you did there is no way to try and figure out where you want wrong or what is wrong.

    Did you sniff and make sure the IPs in the /28 actually getting to pfsense wan?

    If the network is actually routed to you - why are you wanting to nat it with vips. Why not just use that network behind?

  • We could indeed see the inbound traffic into the appliance but were having an issue with the NAT. After extensive searching and experimentation we found a configuration using port forwarding and NAT+Proxy that works for us. When we set up with routed IPs individually with /24 instead of /28 (as they are routed to us) or as /32 things finally fell into place and allowed us to replicate what we were doing on the old Cisco box with much better performance and added functionality.


  • @cusd2tech, I think you completely missed the point of what @johnpoz was asking. If the /28 is routed to you with the WAN address of pfSense as the target of the subnet there is zero reason to use NAT of any kind, you can just pick an address from the /28 for the LAN interface of pfSense and use the rest of the /28 on the LAN host as /28s, not as/24s or /32s mind you.

  • I understood. However the recent setup was a static NAT translation to the private IP on the three devices on the LAN with ACL controls. Ideally we'd have a different setup and we'll certainly be changing the network topology (and reconfiguring the affected servers) in the future, but we just needed to quickly replicate the existing router setup to meet immediate needs and address the sanity of the network design as time goes on. The Cisco could not support our new 1G fiber connection and the XG-7100 handles it with ease. Sure, it's not the best setup. But it's working.

Log in to reply