Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    NAT issue for networks not directly connected to the firewall.

    Scheduled Pinned Locked Moved NAT
    4 Posts 2 Posters 340 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      lugwitz
      last edited by

      I have one pfsense router which is my edge, which has a LAN for standard user net access and a second subnetwork that has more pfsense routers on that net. On that the secondary sub-network I have BGP sharing routes and the connection between all advertised network run okay locally. The LAN users and any other network that is directly attached to the edge router can be NATed and translate to the public internet .

      The downstream routers have learned the default route via BGP and point to the correct location, so this isn't a routing issue. Other routers on the second network are not NATing and forwarding traffic to the edge router as expected. But the edge router is only willing to NAT network that are directly connected but not the networks that are learned via BGP.

      There anyway to have pfsense NAT those networks that are learned anyway via BGP?

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by Derelict

        pfSense has no idea those source networks exist.

        In Firewall > NAT, Outbound switch to hybrid mode and add them.

        A common shortcut is to just make an alias called RFC1918 that contains:

        192.168.0.0/16
        172.16.0.0/12
        10.0.0.0/8

        And just NAT everything from source RFC1918. It doesn't really matter because it only applies to traffic already routed out the WAN in the first place so if it's an RFC1918 source at that point it should probably have its source address translated anyway.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 1
        • L
          lugwitz
          last edited by

          Okay by chance is there a way to script and automate this?

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            No.

            That is why I suggested NAT for all private space.

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 1
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.