Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Adding an Additional subnet to the WAN interface

    HA/CARP/VIPs
    2
    3
    2438
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      WarrickF
      last edited by

      Hi All,

      I have a working setup with pfsense being used as an office firewall.

      I currently have a single subnet routed to the WAN interface and now need to have an additional subnet routed to the same WAN interface.

      Setting up Proxy Arp addresses work fine on the existing WAN subnet and I'm able to NAT back to internal IP's just fine.

      BUT - even though Proxy Arp seems to be working for the new subnet I've routed to the WAN interface, I can't get Pfsense to NAT traffic back into the LAN network.

      I found this document that explaines how to add additional subnets to the LAN interface - is this necessary in my situation?

      http://doc.pfsense.org/multiple-subnets-one-interface-pfsense.pdf

      Thanks
      Warrick

      1 Reply Last reply Reply Quote 0
      • GruensFroeschliG
        GruensFroeschli
        last edited by

        Could you describe a bit better what you mean with "I can't get Pfsense to NAT traffic back into the LAN network"
        Do you mean you added the new IP's as PARP VIPs on the WAN and then used these VIPs in an NAT rule?

        How did you test?
        What did not work?

        We do what we must, because we can.

        Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

        1 Reply Last reply Reply Quote 0
        • W
          WarrickF
          last edited by

          Yes, that's exactly what I did. I added a PARP IP via the Virtual IPs menu and allowed it to auto create the rule for me (allowing HTTP back to the web server running internally).

          I then added an additional rule allowing ICMP to internal address. Both rules are created on the WAN interface and reference the internal address that I'm allowing traffic to.

          I've done this many times for IP's that are on the WAN interfaces primary network.

          I then used the packet capture option to sniff the traffic destined for the PARP address on the WAN side and I do see both ICMP and HTTP traffic hitting the WAN interface when I test the respective protocols.

          I then did the same thing sniffing the LAN interface to see if there's any packets being sent to the internal NAT's IP - and I don't see anything. I've also run a packet sniffer on the web server to ensure that I'm not missing something and that traffic is in fact not hitting the machine somehow - there's nothing coming out on the LAN side.

          Downloading the config XML and looking at the version element - it says I'm running version 2.9. Looking at index.php it says I'm running 1.2-RC1 (built on Sat Jul 21 13:42:54 EDT 2007 )

          Thanks
          Warrick

          1 Reply Last reply Reply Quote 0
          • First post
            Last post