HOW to add specific NAT rule??



  • I nedd to add some specific NAT rules. How can I realise it?

    Problem is:

    1. ISP gives IP's from private ranges (10.x.x.x) - ISP's local net.
    2. LAN uses 192.168.x.x
    3. Internet access only through PPTP.
      4) pfSense does not makes NAT on real interface. Only on WAN (PPTP).
    4. need access to ISP' local net.

    Thanx…



  • I dont understand from your desription what you're trying to do, but i suppose you want to enable advanced outbound NAT (firewall –> NAT--> outbound) and create your own userspecific NAT rules.



  • my WAN uses phisical connection (NIC) but configured as PPTP
    AON dont lets to create NAT RULES  on my NIC (they have an IP and I have some static routes configured).



  • pfSense cannot be a PPTP client.
    Only a server.

    I never used PPTP before so i was wrong.
    I didnt think to look on the WAN-config page itself.



  • This is a big mistake!
    They can be a PPTP Client!



  • Maybe you should reformulate your problem.
    I really dont understand what is not working.



  • Ок… I use pfSense 1.2.2.

    1. There is 1 LAN interface (xl0).
    2. And 1 External interface (xl1) connetcted to ISP's local net.
    3. my WAN interface configured as PPTP.
    4. I have access to internet through PPTP.
    5. I dont have acces to "ISP's local net" from my LAN.

    reason - pfSense made only 1 nat rule for WAN('ng0' - pptp interface) and no nat rule for 'xl1' interface.
    I can't make nat rule for 'xl1' using standart GUI.



  • Because all of your traffic should always go out the ng0 interface and never xl, even if it's destined to your ISP's network. You can't use AON for this because where you select WAN it uses ng0. You could manually hack filter.inc to add a rule on xl1 if you really need it, but I've never heard of that ever being necessary.



  • Thanx for advice…
    already working with /etc/inc/filter.inc...
    also I think posible to hack /usr/local/www/firewall_nat_out.edit
    to include special option like 'use real interface' checkbox.

    Many users from Russia needs this feature.
    I think all problems with this - WAN (as PPTP client) dont lets to configure real interface.
    So the routes to PPTP server must be set through 'static routes'. Also IP cant be got by DHCP.
    may be just make WAN to not occupy the real interface... There must be an option.
    It is Not so conveniently to define IP on 'WAN-PPTP' page and routes on 'static routes'
    IMHO PPTP options must NOT occupy the real interface but must choose parent one. it is possible?

    PS I understands ISP limitations )). So in ISPs local net works P2P applications with private IPs and hi bandwidth. 100Mbit/1Gbit. So PPTP server of ISP must be more powerful to rule all of this...
    when internet connection bandwidth only 1-2 MBits it much easier...



  • " It seems that the solution for the scenario of connection when local adress provider (MAN) is visible through the static ip, and the Internet (WAN) - through a tunnel PPTP, so local resources and the Internet were visible at the same time. This can be arranged through an addendum to the wan-interface virtual ip (in the range of addresses MAN) switching and nat - outbound nat to the AON (Advanced Outbound NAT). In this mode the default rule in the NAT, transmitting all packets to the tunnel, is to broadcast packets to local provider adress in the pre-created virtual ip. It seems to be working, although more precise test is not on it. Yes, even set static routes to other provider networks, if available in the MAN. Generally, it is interesting that such a scenario is almost never realized in the western products and config. Only point-to-point. Apparently, this phase of urban ethernet networks they already have. "



  • Can You explain some features of 'Virtual IPs' ??
    type of VirtualIP.
    What they realy do?
    where I can read about this?
    Created VIP will be mapped to real interface (xl1) or to PPTP(ng0)?

    P.S. WOW! I get it realy working. thanx…
    still looking for info about VIP.



  • With all of this working? I get some trouble…
    PF hangs when reloading Firewall rules (when I add some rules like NAT/FIREWALL/etc.)
    without VIP all works Fine...

    Need some advice!!!

    Also I need portforward on my VIP. It's not working! ((


Log in to reply