NAT issue for networks not directly connected to the firewall.

  • I have one pfsense router which is my edge, which has a LAN for standard user net access and a second subnetwork that has more pfsense routers on that net. On that the secondary sub-network I have BGP sharing routes and the connection between all advertised network run okay locally. The LAN users and any other network that is directly attached to the edge router can be NATed and translate to the public internet .

    The downstream routers have learned the default route via BGP and point to the correct location, so this isn't a routing issue. Other routers on the second network are not NATing and forwarding traffic to the edge router as expected. But the edge router is only willing to NAT network that are directly connected but not the networks that are learned via BGP.

    There anyway to have pfsense NAT those networks that are learned anyway via BGP?

  • LAYER 8 Netgate

    pfSense has no idea those source networks exist.

    In Firewall > NAT, Outbound switch to hybrid mode and add them.

    A common shortcut is to just make an alias called RFC1918 that contains:

    And just NAT everything from source RFC1918. It doesn't really matter because it only applies to traffic already routed out the WAN in the first place so if it's an RFC1918 source at that point it should probably have its source address translated anyway.

  • Okay by chance is there a way to script and automate this?

  • LAYER 8 Netgate


    That is why I suggested NAT for all private space.

Log in to reply