NAT with Public WAN and Public OPT Interface



  • I have a static IP assigned to my by my provider (a.b.c.d/27). I've used this as my WAN interface. In addition, my provider routes a public subnet to me (w.x.y.z/28) via this address, which is set up as a vlan on the same interface. I want to use my "public subnet" interface address to do all NAT (inbound and outbound), and NOT the WAN IP, which will be used for VPN termination only. I've attempted to setup 1.2.x with this arrangement, but I cannot get it to work properly. When I punt and use the WAN for outbound NAT (I haven't done the inbound yet), it works as expected. As soon as I "switch" to using the interface assigned to the public subnet (OPT1, but I think thats irrelevent). Not only does no NAT occur, but I get no entries in the log file (firewall) to see where the packets might be denied.

    What have I missed ?

    The reason I want to use the public subnet for NAT is that I control this network (including forward and reverse DNS), and the static IP assigned my my provider is subject to change. Its also convenient to separate NAT from VPN termination.

    Any help appreciated.



  • Well, nothing so far, so here's a small diagram, and some further explanation.

    My wan interface is a single publicly addressable IP, given to me by my provider, this is a /27, and my default gateway is D.E.F.1/27. The "pubinternet" interface, is a public addressable  /28 network which is routed to my WAN interface by my provider. There are some machines on this interface (in fact, there is another pfsense box there too), which are internet accessable. There are currently 3 networks behind the pfsense, all running on a single interface with vlans. Outgoing traffic from the LAN and PublicAccess networks must simply be NAT'ed to the outside (preferably the PubInternet IP)

    The DMZ network is "special". I'll need to port forward certain ports from the PubInternet interface IP to the machine in the DMZ (the usual stuff, smtp/http/dns/ntp), and also NAT oubound traffic from the DMZ, also via the  PubInternetIP. I'm using AoN, for what its worth.

    Unfortunately, I cannot get this setup to work (NAT, anyway). Routing and traffic flow seem to work (all of the machines on the Public Internet LAN can connect through PFsense, build their IPSec and OpenVPN tunnels, etc). NAT only seems to work properly when I use the WAN interface for inbound/outbound NAT. If I try to use the PubInternet interface for inbound/outbound NAT, not only does it not work, but there is nothing logged to the logfiles at all, making it difficult to debug.

    If this is not supposed to work, that'd be okay too, and I can fallback to using the Cisco again, but I'd prefer to use my pfsense and dump the Cisco altogether!




  • I dont think it's related, but:
    Are your VLANs all on the same switch?
    I see that you mix tagged and untagged traffic on the same interface.
    This "could" be a problem.

    I dont think you can do with the current setup what you describe.

    Traffic would have to leave via one interface ( the /28), get NATed, reenter on the same interface and get routed to the WAN.

    How does you ISP handle traffic on his side?
    Will traffic from your IPs be routed to your main WAN IP no matter where it comes from?

    You could scrap the /28 VLAN and add the additional public IPs on the WAN directly with PARP type VIPs (CARP wont work since it's a different subnet).
    You then can use these VIPs in outbound NAT rules.



  • @GruensFroeschli:

    I dont think it's related, but:
    Are your VLANs all on the same switch?
    I see that you mix tagged and untagged traffic on the same interface.
    This "could" be a problem.

    Yes, they are. The interfaces on the pfsense box are in a vlan which is native on the trunk port on the switch.

    I dont think you can do with the current setup what you describe.

    Traffic would have to leave via one interface ( the /28), get NATed, reenter on the same interface and get routed to the WAN.

    Well, can I get "around" this by using another physical interface on the pfsense box for the PublicInternet, instead of using a vlan interface, and "moving" the rules to that interface ? If that would work, I'd (not really happily) do it.

    How does you ISP handle traffic on his side?
    Will traffic from your IPs be routed to your main WAN IP no matter where it comes from?

    My ISP routes all traffic to the /28 subnet via my public wan interface IP.  I assume that in their upstream router they have something like this:

    ip route A.B.C.192/28 0.0.0.15 D.E.F.21

    and are exporting this route to BGP/OSPF/MPLS or whatever they speak upstream

    You could scrap the /28 VLAN and add the additional public IPs on the WAN directly with PARP type VIPs (CARP wont work since it's a different subnet).
    You then can use these VIPs in outbound NAT rules.

    I NEED the /28 VLAN; this is essentially where I can do "internet" testing directly, without having to make ruleset changes on the firewall. There's at least a half dozen boxes on that subnet now, and I do not really want to to make VIPS and manage  a constantly changing ruleset for each one of those boxes, some of which might be "foreign" machines with DHCP assigned addresses.

    If I can make this work by using a separate physical interface for the PublicInternet, I'd be happy, but have to forgo using CARP which I was "saving" the last interface for (its an ALIX)….


Log in to reply