Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Routing not working without outbound NAT

    NAT
    5
    14
    1.2k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Bob.DigB
      Bob.Dig LAYER 8 @Baby_newbie
      last edited by

      @Baby_newbie said in Routing not working without outbound NAT:

      I'm trying to send internet traffic to the Internet. it does not work.
      If I enable the Outbound NAT 'Manual' it starts to work fine.

      Highly unlikely.

      My advice, don't use a firewall at your knowledge state.

      1 Reply Last reply Reply Quote 0
      • V
        viragomann @Baby_newbie
        last edited by

        @Baby_newbie said in Routing not working without outbound NAT:

        Is this even if you are using rfc1918/private addressing on both sides of the interface?
        The WAN interface I have gets an ip from the dhcp/broadband server = 192.168.0.201.
        LAN is 192.168.2.1/24

        Yes.
        You router will only know the WAN network of pfSense, but not the LAN. So he might nat only this subnet.

        With outbound NAT enabled on pfSense, traffic from the LAN behind it is translated into the WAN address. The outer router then translates it a second time into its internet IP.

        If you want to nat the traffic only once, you would have to configure the router to do the translation for the LAN subnet and also add a static route for the LAN and point it to pfSense WAN IP.

        B 1 Reply Last reply Reply Quote 0
        • JonathanLeeJ
          JonathanLee @Baby_newbie
          last edited by

          @Baby_newbie pfSense will auto add NAT config if you have to set to auto or hybrid. I would just leave it be. If you are new to this no problem and got this for cyber security I would set up IPS/IDS with snort and leave the default config with the PfSense wizard. That will get you running the fastest.

          Make sure to upvote

          V 1 Reply Last reply Reply Quote 0
          • V
            viragomann @JonathanLee
            last edited by

            @JonathanLee said in Routing not working without outbound NAT:

            pfSense will auto add NAT config if you have to set to auto or hybrid.

            Yeah, but only if you state a gateway in the (WAN) interface settings. If you miss that no NAT rules are added.

            M 1 Reply Last reply Reply Quote 0
            • M
              mcury @viragomann
              last edited by

              @viragomann I think what he is trying to accomplish is to disable NAT in pfsense to avoid double nat, and let the ISP modem do the natting to the internet.

              If that is what he wants, he needs to add a static route in the ISP modem saying that his internal network is behing pfsense WAN's IP (next hop to internal network).

              dead on arrival, nowhere to be found.

              1 Reply Last reply Reply Quote 1
              • B
                Baby_newbie @viragomann
                last edited by Baby_newbie

                @viragomann With outbound NAT disabled, this is also what I was expecting the source ip not to change and having to add a static route on the BB router. Until I see the packet capture and attached capture from physical interfaces

                Src of icmp = 192.168.2.225
                pfsense
                WAN today is 192.168.0.202
                LAN = 192.168.2.1

                No NAT
                LAN
                14:41:55.318906 IP 192.168.2.10.1093 > 192.168.2.1.80: tcp 0
                14:41:56.050895 ARP, Request who-has 192.168.2.117 tell 192.168.2.225, length 46
                14:41:56.269203 IP 192.168.2.225 > 8.8.8.8: ICMP echo request, id 57865, seq 15, length 64
                14:41:57.271272 IP 192.168.2.225 > 8.8.8.8: ICMP echo request, id 57865, seq 16, length 64
                14:41:58.273991 IP 192.168.2.225 > 8.8.8.8: ICMP echo request, id 57865, seq 17, length 64

                WAN
                14:42:30.777093 IP 192.168.0.202 > 192.168.0.1: ICMP echo request, id 15092, seq 226, length 8
                14:42:30.780480 IP 192.168.0.1 > 192.168.0.202: ICMP echo reply, id 15092, seq 226, length 8
                14:42:31.133872 a0:bd:cd:aa:9a:48 > ff:ff:ff:ff:ff:ff, Unknown Ethertype (0x7374), length 66:
                14:42:31.236228 IP 192.168.0.161.60759 > 192.168.0.255.15600: UDP, length 35
                14:42:31.301052 IP 192.168.0.202 > 192.168.0.1: ICMP echo request, id 15092, seq 227, length 8
                14:42:31.304596 IP 192.168.0.1 > 192.168.0.202: ICMP echo reply, id 15092, seq 227, length 8
                14:42:31.338042 IP 192.168.2.225 > 8.8.8.8: ICMP echo request, id 57865, seq 50, length 64
                14:42:31.831135 IP 192.168.0.202 > 192.168.0.1: ICMP echo request, id 15092, seq 228, length 8
                14:42:31.835404 IP 192.168.0.1 > 192.168.0.202: ICMP echo reply, id 15092, seq 228, length 8
                14:42:32.055272 a0:bd:cd:aa:9a:49 > ff:ff:ff:ff:ff:ff, Unknown Ethertype (0x7380), length 60:
                14:42:32.341517 IP 192.168.2.225 > 8.8.8.8: ICMP echo request, id 57865, seq 51, length 64
                14:42:32.387908 IP 192.168.0.202 > 192.168.0.1: ICMP echo request, id 15092, seq 229, length 8
                14:42:32.388147 IP 192.168.0.1 > 192.168.0.202: ICMP echo reply, id 15092, seq 229, length 8
                14:42:32.909470 IP 192.168.0.202 > 192.168.0.1: ICMP echo request, id 15092, seq 230, length 8

                With NAT
                LAN
                14:45:20.180546 IP 192.168.2.225 > 8.8.8.8: ICMP echo request, id 64777, seq 19, length 64
                14:45:20.200514 IP 8.8.8.8 > 192.168.2.225: ICMP echo reply, id 64777, seq 19, length 64
                14:45:21.183339 IP 192.168.2.225 > 8.8.8.8: ICMP echo request, id 64777, seq 20, length 64
                14:45:21.202300 IP 8.8.8.8 > 192.168.2.225: ICMP echo reply, id 64777, seq 20, length 64

                WAN
                14:47:12.454980 IP 192.168.0.202 > 8.8.8.8: ICMP echo request, id 8708, seq 131, length 64
                14:47:12.471696 IP 8.8.8.8 > 192.168.0.202: ICMP echo reply, id 8708, seq 131, length 64
                14:47:12.513886 IP 192.168.0.202 > 192.168.0.1: ICMP echo request, id 15092, seq 753, length 8
                14:47:12.517257 IP 192.168.0.1 > 192.168.0.202: ICMP echo reply, id 15092, seq 753, length 8
                14:47:13.064666 IP 192.168.0.202 > 192.168.0.1: ICMP echo request, id 15092, seq 754, length 8
                14:47:13.068606 IP 192.168.0.1 > 192.168.0.202: ICMP echo reply, id 15092, seq 754, length 8
                14:47:13.354923 IP 192.168.0.161.38660 > 192.168.0.255.15600: UDP, length 35
                14:47:13.457792 IP 192.168.0.202 > 8.8.8.8: ICMP echo request, id 8708, seq 132, length 64
                14:47:13.476287 IP 8.8.8.8 > 192.168.0.202: ICMP echo reply, id 8708, seq 132, length 64
                14:47:13.611799 IP 192.168.0.202 > 192.168.0.1: ICMP echo request, id 15092, seq 755, length 8
                14:47:13.615125 IP 192.168.0.1 > 192.168.0.202: ICMP echo reply, id 15092, seq 755, length 8

                @Baby_newbie said in Routing not working without outbound NAT:

                Untitled.jpg

                M 1 Reply Last reply Reply Quote 0
                • M
                  mcury @Baby_newbie
                  last edited by mcury

                  @Baby_newbie You are not getting an answer with NAT disabled, most probably the packet is being dropped in your device ahead of pfsense, because it doesn't have a route to your internal network (behind pfsense).

                  A router only has routes to directly connected networks, and a default route to Internet.

                  So, you ping from LAN, your pfsense sends the packet without NAT, your ISP modem sends it to the Internet and doesn't know how to forward it back to your internal LAN, and drop it.

                  Add a route as mentioned earlier and it will work.
                  But note that ISP modems usually don't give you that configuration option.

                  Edit:
                  Another option, which I prefer, is to configure your ISP modem as bridge.

                  dead on arrival, nowhere to be found.

                  B 1 Reply Last reply Reply Quote 1
                  • B
                    Baby_newbie @mcury
                    last edited by

                    @mcury Thank you for your response.

                    I think I see what was happening. I was being confused by two sets of icmp flows. One generated by me and a second that is generated by the pfsense box itself.

                    Any ideas why the pfsense continuously sends icmp on the WAN to its gateway?

                    JonathanLeeJ 1 Reply Last reply Reply Quote 0
                    • JonathanLeeJ
                      JonathanLee @Baby_newbie
                      last edited by

                      @Baby_newbie it sends them to make sure the gateway is still working.

                      Make sure to upvote

                      B 1 Reply Last reply Reply Quote 1
                      • B
                        Baby_newbie @JonathanLee
                        last edited by

                        @JonathanLee Thank you.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.