Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    NAT Configuration doubt!

    Scheduled Pinned Locked Moved General pfSense Questions
    6 Posts 2 Posters 613 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      peterfranca
      last edited by

      Hi all,
      I am new with pfsense and I am in doubt on how pfsense works with NAT.
      This is my scenario, 2 nodes with HA configured and working.
      But when I try to access the internet over the pfsense it does not work.
      I am following this tutorial https://www.netgate.com/docs/pfsense/highavailability/configuring-high-availability.html on how to configure HA and the part that explain how to set a manual Outbound on NAT is really hard to understand what to do.

      I've edited the rule for LAN and on the translation option I have select my CARP IP and nothing works. Do I have to do anything in special to get the NAT working? Am I missing something?

      When I am editing the WAN rule there is no CARP there to select as the translation address, I've Added another CARP to match the WAN Gateway buy it did not work too.

      How you guys set the NAT on your environment?

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        Get CARP/HA configured
        Change to Manual Outbound NAT
        Change the NAT address on all the rules except the localhost rules to the CARP VIP
        You're done.

        Sounds like you've clicked a lot of things you shouldn't have.

        No, you don't make a VIP for the gateway address.

        Not sure what edited the rule for LAN means.

        You might want to post some screen shots. Probably best to start with outbound NAT.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • P
          peterfranca
          last edited by

          What do you mean by "change the NAT address on all the rules except the localhost rules to the CARP VIP" I got the part to not change the localhost rule.
          Please the see print below. I have selected the LAN rule and on the Address option under translation I have selected the CARP IP. Should I do this for all the rules?

          0_1539227884983_a58cdbae-0efc-4b06-a82f-82f85ff1bc9b-image.png

          0_1539227945077_ec2e9419-4e49-4db6-9b3b-ab22477efe2a-image.png

          That is the part that confuses me if I select a WAN rule on the Address option under translation I should have to select the Gateway to the WAN interface? Shouldn't I? I am very confuse!

          Looking to the next print the only option that I have under Address is 192.168.0.3. Do I have to select this CAR IP even for the wan rule?

          0_1539228394760_aba70a86-be1d-42ce-bcff-0641614a4e8a-image.png

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by Derelict

            Do not use source any outbound NAT rules. That will NAT things that should not have NAT performed on them, such as connections from the firewall itself.

            Automatic NAT will create all the rules you need. Then switch to manual and you can edit them (except the localhost source rules) and set the NAT address to the CARP VIP.

            Like I said:

            Get CARP/HA configured
            Change to Manual Outbound NAT
            Change the NAT address on all the rules except the localhost rules to the CARP VIP
            You're done.

            https://www.youtube.com/watch?v=VnBnnh81G7w

            Is there a specific reason you are setting outbound NAT on LAN?

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • DerelictD
              Derelict LAYER 8 Netgate
              last edited by Derelict

              Don't take this the wrong way, but maybe you should get a better grasp on the basic functionality of pfSense before tackling something like an HA pair.

              0_1539231137510_1539227874561-a58cdbae-0efc-4b06-a82f-82f85ff1bc9b-image-resized.png

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 1
              • P
                peterfranca
                last edited by

                Hey @Derelict thanks for the video explaining how to configurar the HA. The manual that I was looking at is a bit out dated that is why I was having so many doubts.
                Now things are way more clear.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.