Automatic Outbound NAT not working

peterlecki

Set up pfSense as a "peer" firewall alongside with my main one. I have a block of public IPs and temporarily gave pfSense an IP that is not used in my production on the other firewall. WAN Gateway IP set to my ISP gateway. I can ping public IPs from Diagnostics on pfSense. I set up a test computer with pfSense LAN IP as its gateway. I can access the UI on the LAN IP but I cannot reach the outside, even by basic ping IP. Outbound NAT is the default Automatic mode. NAT Reflection disabled. LAN interface does not have a gateway set.

If I replace the old firewall with pfSense, changing LAN IP to be same as the old one, then outbound works. But not inbound so to troubleshoot, I wanted to have them both up.

viragomann

@peterlecki said in Automatic Outbound NAT not working:

If I replace the old firewall with pfSense, changing LAN IP to be same as the old one, then outbound works.

That let me suspect, that the test computer didn't really use the new gateway IP.

Why do you think, that it's on the outbound NAT? Did you sniff the traffic?
If not do a packet capture on LAN and if you can see the packets there also on WAN to verify if the outbound NAT is working properly.

peterlecki

@viragomann
I was wrong, it's not Outbound NAT. I can see ICMP packets on LAN and translated on WAN. So I guess it must be the ISP router not sending them back to the translated IP? I only see echo requests, no replies.

viragomann

@peterlecki
You have public IPs behind an ISP router?

And what is the device that you called "other firewall for production" above?

peterlecki

@viragomann
WatchGuard XTM. I removed the IP assigned to pfSense from Watchguard's "secondary" IPs on the WAN interface, which is their implementation of the Virtual IP concept. I'm not onsite right at the moment but just thought of a troubleshooting step. Connect the test computer directly to the ISP's router, bypassing both firewalls.

peterlecki

@viragomann
I figured it out but some confusion remains. The reason it wasn't working and is now was due to 1:1 NAT not properly/completely configured due to the Proxy ARP Virtual IP not set up. Once I entered that it started working. The confusion is that I have another network with the same pfSense firewall and that one I configured 1:1 NAT the same way with without the Proxy ARP - that one is working fine, those machines get NATed correctly. So how is it that Proxy ARP is needed on this network but not the other?

peterlecki

Never mind, I figured that one out too. That ISP router was routing all traffic destined for my IP block to the firewall despite no ARP response.