Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    HOW to add specific NAT rule??

    NAT
    4
    12
    6934
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      SB HidDeN last edited by

      I nedd to add some specific NAT rules. How can I realise it?

      Problem is:

      1. ISP gives IP's from private ranges (10.x.x.x) - ISP's local net.
      2. LAN uses 192.168.x.x
      3. Internet access only through PPTP.
        4) pfSense does not makes NAT on real interface. Only on WAN (PPTP).
      4. need access to ISP' local net.

      Thanx…

      1 Reply Last reply Reply Quote 0
      • GruensFroeschli
        GruensFroeschli last edited by

        I dont understand from your desription what you're trying to do, but i suppose you want to enable advanced outbound NAT (firewall –> NAT--> outbound) and create your own userspecific NAT rules.

        We do what we must, because we can.

        Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

        1 Reply Last reply Reply Quote 0
        • S
          SB HidDeN last edited by

          my WAN uses phisical connection (NIC) but configured as PPTP
          AON dont lets to create NAT RULES  on my NIC (they have an IP and I have some static routes configured).

          1 Reply Last reply Reply Quote 0
          • GruensFroeschli
            GruensFroeschli last edited by

            pfSense cannot be a PPTP client.
            Only a server.

            I never used PPTP before so i was wrong.
            I didnt think to look on the WAN-config page itself.

            We do what we must, because we can.

            Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

            1 Reply Last reply Reply Quote 0
            • S
              SB HidDeN last edited by

              This is a big mistake!
              They can be a PPTP Client!

              1 Reply Last reply Reply Quote 0
              • GruensFroeschli
                GruensFroeschli last edited by

                Maybe you should reformulate your problem.
                I really dont understand what is not working.

                We do what we must, because we can.

                Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

                1 Reply Last reply Reply Quote 0
                • S
                  SB HidDeN last edited by

                  Ок… I use pfSense 1.2.2.

                  1. There is 1 LAN interface (xl0).
                  2. And 1 External interface (xl1) connetcted to ISP's local net.
                  3. my WAN interface configured as PPTP.
                  4. I have access to internet through PPTP.
                  5. I dont have acces to "ISP's local net" from my LAN.

                  reason - pfSense made only 1 nat rule for WAN('ng0' - pptp interface) and no nat rule for 'xl1' interface.
                  I can't make nat rule for 'xl1' using standart GUI.

                  1 Reply Last reply Reply Quote 0
                  • C
                    cmb last edited by

                    Because all of your traffic should always go out the ng0 interface and never xl, even if it's destined to your ISP's network. You can't use AON for this because where you select WAN it uses ng0. You could manually hack filter.inc to add a rule on xl1 if you really need it, but I've never heard of that ever being necessary.

                    1 Reply Last reply Reply Quote 0
                    • S
                      SB HidDeN last edited by

                      Thanx for advice…
                      already working with /etc/inc/filter.inc...
                      also I think posible to hack /usr/local/www/firewall_nat_out.edit
                      to include special option like 'use real interface' checkbox.

                      Many users from Russia needs this feature.
                      I think all problems with this - WAN (as PPTP client) dont lets to configure real interface.
                      So the routes to PPTP server must be set through 'static routes'. Also IP cant be got by DHCP.
                      may be just make WAN to not occupy the real interface... There must be an option.
                      It is Not so conveniently to define IP on 'WAN-PPTP' page and routes on 'static routes'
                      IMHO PPTP options must NOT occupy the real interface but must choose parent one. it is possible?

                      PS I understands ISP limitations )). So in ISPs local net works P2P applications with private IPs and hi bandwidth. 100Mbit/1Gbit. So PPTP server of ISP must be more powerful to rule all of this...
                      when internet connection bandwidth only 1-2 MBits it much easier...

                      1 Reply Last reply Reply Quote 0
                      • werter
                        werter last edited by

                        " It seems that the solution for the scenario of connection when local adress provider (MAN) is visible through the static ip, and the Internet (WAN) - through a tunnel PPTP, so local resources and the Internet were visible at the same time. This can be arranged through an addendum to the wan-interface virtual ip (in the range of addresses MAN) switching and nat - outbound nat to the AON (Advanced Outbound NAT). In this mode the default rule in the NAT, transmitting all packets to the tunnel, is to broadcast packets to local provider adress in the pre-created virtual ip. It seems to be working, although more precise test is not on it. Yes, even set static routes to other provider networks, if available in the MAN. Generally, it is interesting that such a scenario is almost never realized in the western products and config. Only point-to-point. Apparently, this phase of urban ethernet networks they already have. "

                        1 Reply Last reply Reply Quote 0
                        • S
                          SB HidDeN last edited by

                          Can You explain some features of 'Virtual IPs' ??
                          type of VirtualIP.
                          What they realy do?
                          where I can read about this?
                          Created VIP will be mapped to real interface (xl1) or to PPTP(ng0)?

                          P.S. WOW! I get it realy working. thanx…
                          still looking for info about VIP.

                          1 Reply Last reply Reply Quote 0
                          • S
                            SB HidDeN last edited by

                            With all of this working? I get some trouble…
                            PF hangs when reloading Firewall rules (when I add some rules like NAT/FIREWALL/etc.)
                            without VIP all works Fine...

                            Need some advice!!!

                            Also I need portforward on my VIP. It's not working! ((

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post