Help with NAT



  • Please help in the following scenario (pfsense 1.2.2):
                 _______
    WAN–---- |pfSense|-------LAN(192.168.1.1/24)
               |           |-------LAN2(10.11.1.1/24)
                  |_______|-------LAN3(10.11.2.1/24)

    I want all three LANs to see each other and have internet access through wan.
    I have to separate them because there are some specific rules to force.
    Also, on LAN1 there is a gateway, 192.168.1.16 for the whole 192.168.0.0/16 subnet witch i also want all the lans to have access.

    I have tried all sorts of configurations but with no luck.

    The setup that worked partially was to define opt1 and opt2 as lan2 and lan3, with ip without gateways, then set manual nat for each subnet for internet access.
    I also added a static rule for the 192.168.0.0/16 subnet through LAN.

    I now have internet access for all LANs, but they cannot see each other... please help!



  • What do you mean with "sea each other"?
    Are you talking about windows shares? This will never work in a routed setup unless you configure a WINS server.

    The setup that worked partially was to define opt1 and opt2 as lan2 and lan3, with ip without gateways, then set manual nat for each subnet for internet access.
    I also added a static rule for the 192.168.0.0/16 subnet through LAN.

    You should not need manual outbound NAT in such a setup.

    Unless you are using an interface as WAN you should NEVER set a gateway on it.

    Did you set a static route on the pfSense for the 192.168.0.0/16 subnet pointing to the 192.168.1.16 IP?



  • By seeing each other i was talking about ping…
    In my setup, not even ping is working.
    The static route is working ok for all subnets.
    but, for example, 192.168.1.10 cannot ping 10.11.1.16 and viceversa.
    traceroute stops at 10.11.1.16
    They are all browsing internet fine, firewall on all interfaces except wan is set to allow all from any to any
    Sometimes (for example now), from 10.11.1.10 i can ping 10.11.2.101... weird, and is the only host who is answering, despite that there are about 50 hosts up.



  • Can you show screenshots of the firewallrules you created on each interface?
    Do you actually have a firewall rule allowing ICMP (ping)?



  • @alexandru.ast:

    By seeing each other i was talking about ping…
    In my setup, not even ping is working.
    The static route is working ok for all subnets.
    but, for example, 192.168.1.10 cannot ping 10.11.1.16 and viceversa.
    traceroute stops at 10.11.1.16
    They are all browsing internet fine, firewall on all interfaces except wan is set to allow all from any to any
    Sometimes (for example now), from 10.11.1.10 i can ping 10.11.2.101... weird, and is the only host who is answering, despite that there are about 50 hosts up.

    You said  traceroute stops at 10.11.1.16?  If it is the first result, that would indicate you are using 10.11.1.16 as your gateway. If you expect this to work, you will need to have your clients pointing to pfSense for their default gateway. (Or a bunch more static routes on devices you don't have on this map.  :( )



  • Traceroute stops at 10.11.1.1, my mistake! Sorry.
    At this moment, the static routes are only working from LAN1 (also where the gw for the route is located), if any other (LAN2 or LAN3) traceroutes to that route, the trace stops at 192.168.1.1
    The firewall rules are on all lan interfaces (named LAN, DMZ1, DMZ2) to allow from all to all:

    <filter><rule><type>pass</type>
    <interface>wan</interface>
    <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
    <os><protocol>tcp</protocol>
    <source>

    <address>iof</address>

    <destination><any><port>palfo</port></any></destination></os></statetimeout></max-src-states></max-src-nodes></rule>
    <rule><type>pass</type>
    <interface>wan</interface>
    <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
    <os><protocol>tcp/udp</protocol>
    <source>
    <any><destination><any><port>palfe</port></any></destination></any></os></statetimeout></max-src-states></max-src-nodes></rule>
    <rule><type>pass</type>
    <interface>opt2</interface>
    <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
    <os><source>
    <any><destination><any></any></destination></any></os></statetimeout></max-src-states></max-src-nodes></rule>
    <rule><type>pass</type>
    <interface>opt1</interface>
    <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
    <os><source>
    <any><destination><any></any></destination></any></os></statetimeout></max-src-states></max-src-nodes></rule>
    <rule><type>pass</type>
    <interface>lan</interface>
    <max-src-nodes><max-src-states><statetimeout><statetype>keep state</statetype>
    <os><source>
    <any><destination><any></any></destination></any></os></statetimeout></max-src-states></max-src-nodes></rule>
    <bypassstaticroutes></bypassstaticroutes></filter>



  • You will also need a route for the 10.11.1.0/24 and 10.11.2.0/24 network on the 192.168.1.16 router. (pointing to the pfSense LAN IP address) A default route works to if you don't already have one.

    Otherwise you're traffic will make it to the destination, but the 192.168.1.16 router wont know where to send the return traffic.

    That would fit your symptoms.
    Clients on the same network as the router can communicate successfully because the router knows it's attached to 192.168.1.0/24
    pfSense is forwarding traffic from it's 10 networks to that address and the router doesn't have any entry in it's routing table for returning traffic so you don't have connectivity.


Log in to reply