Adding an Additional subnet to the WAN interface



  • Hi All,

    I have a working setup with pfsense being used as an office firewall.

    I currently have a single subnet routed to the WAN interface and now need to have an additional subnet routed to the same WAN interface.

    Setting up Proxy Arp addresses work fine on the existing WAN subnet and I'm able to NAT back to internal IP's just fine.

    BUT - even though Proxy Arp seems to be working for the new subnet I've routed to the WAN interface, I can't get Pfsense to NAT traffic back into the LAN network.

    I found this document that explaines how to add additional subnets to the LAN interface - is this necessary in my situation?

    http://doc.pfsense.org/multiple-subnets-one-interface-pfsense.pdf

    Thanks
    Warrick



  • Could you describe a bit better what you mean with "I can't get Pfsense to NAT traffic back into the LAN network"
    Do you mean you added the new IP's as PARP VIPs on the WAN and then used these VIPs in an NAT rule?

    How did you test?
    What did not work?



  • Yes, that's exactly what I did. I added a PARP IP via the Virtual IPs menu and allowed it to auto create the rule for me (allowing HTTP back to the web server running internally).

    I then added an additional rule allowing ICMP to internal address. Both rules are created on the WAN interface and reference the internal address that I'm allowing traffic to.

    I've done this many times for IP's that are on the WAN interfaces primary network.

    I then used the packet capture option to sniff the traffic destined for the PARP address on the WAN side and I do see both ICMP and HTTP traffic hitting the WAN interface when I test the respective protocols.

    I then did the same thing sniffing the LAN interface to see if there's any packets being sent to the internal NAT's IP - and I don't see anything. I've also run a packet sniffer on the web server to ensure that I'm not missing something and that traffic is in fact not hitting the machine somehow - there's nothing coming out on the LAN side.

    Downloading the config XML and looking at the version element - it says I'm running version 2.9. Looking at index.php it says I'm running 1.2-RC1 (built on Sat Jul 21 13:42:54 EDT 2007 )

    Thanks
    Warrick


Log in to reply