Configuring 1:1 NAT to Virtual IP from internal LAN



  • Good morning All, I am in the process of configuring a 1:1 NAT to Virual IP on my pfsense 2.4.4, i am able to ping my WAN and LAN interfaces from the option 7(ping host ) option, however i cannot ping the test nodes in my testlab with the same range of IPs. I can successfully ping the Virtual IP address from the pfsense box, however i cannot ping the Virtual IP address outside of the pfsense box or from the WAN.

    My WAN interface is giving me this error: "incomplete an hn0 expired ". I would like to know what this means? The VIP should be the jump server which gives access to the Test LAB environment.



  • From what you're writing here, you just setup a virtual IP on pfSense and expect it to magically get assigned to some machines that seem to be behind pfSense?

    Magic is a nice thing but pfSense doesn't come with it.

    So you either setup some proper nating/routing or it will never start to work.

    Please give me more information so that I can help you.

    Cu



  • @Tafy make sure that your host machines are not blocking public IP addresses from pinging them. Windows machines in particular block every address outside their subnet as a public address. Generally I use VIP proxy for my statics. All traffic including pings are forwarded to the other end of your one to one NAT.



  • @Grimeton I have an internal ip 172.16.0.21 which is on the test01 and then i have 192.168.0.1 which is on the WAN side of the pfSense and i want to be able to do a Remote Desktop Session from the WAN side to test01 via the virtual ip 192.168.0.10. I want to configure one to one NAT, between virtual ip and internal host LAN ip.



  • @Grimeton How do i configure the NAT within pfSense i am still new to pfsense. The pfsense box is not replying to pings from the Windows box both on the LAN and WAN. I have allowed the ICMP protocol to ping both Virtual IP and LAN IP.



  • @chpalmer I created a Test Lab where i am using private ip addresses for the LAN and WAN side. Where i am facing a challenge is that when i ping the pfsense box from command prompt in windows, i am getting the following error: Destination Host Unreachable, implying the pfsense box does not have a route to return the ICMP echo reply......or i have not configured the necessary firewall rules....?



  • @Tafy So ...

    If you want to do 1:1 NAT all you have to do is to create the virtual IP and then add a 1:1 NAT rule for said IP.

    The thing is that the machine behind pfSense needs to use pfSense as its default gateway so that it sends all packets back via the machine the requests were nated on.

    NAT has a lot to do with routing. If the routing isn't working, then best NAT cannot help.

    Cu



  • @Grimeton I have created a 1:1 NAT rule for said IP and set the pfSense LAN interface as the default gateway for all windows machines within that LAN. Do i have to configure a default route or static route on pfsense?



  • @Grimeton I am getting a destination host unreachable: Ping to DG gives Destination Host Unreachable error.PNG

    When i ping from the pfsense box to the same machine i was pinging the Default Gateway i get the following error:

    Pfsense ping to Windows Box.PNG



  • When FreeBSD returns host is down, then the ARP request isn't fullfilled. Check the ARP-cache:

    arp -an

    and see if there is a mac address for the ip you're trying to ping. If there's not, then your layer 2 setup is broken and you have to patch the cables/configure vlans correctly.

    Cu



  • When i run the arp -an on the pfsense box, i can see the MAC addresses of the LAN and WAN, however the DG has an error: Currently when i try to access the pfsense box over the lan ip, i am getting the following error: incomplete on hn0 expired. I would like to know what hn0 expired means. The virtual ip has a mac address assigned. However my challenge now is that i cannot access the pfsense WEB GUI via the LAN ip from the test machines in the 172.16.0.0/16 network. The LAN ip is 172.16.0.1, i get the following error screen:

    This page cannot be displayed.PNG



  • You should check if you can see a mac address assigned to the IP entry in the arp cache of the host you're trying to ping.

    No surprise that you can see the firewall's own interfaces in the arp cache. They're static.

    Go check the arp cache again and then fix the l2 plumbing.

    Cu


Log in to reply