• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Unable to NAT an external ip to a gateway on another network

Scheduled Pinned Locked Moved NAT
11 Posts 3 Posters 954 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • V
    VincentEmmanuel
    last edited by Oct 16, 2023, 8:47 AM

    Hi everyone,

    I have a scenerio as below

    Capture.PNG

    The CATO socket uses its WAN port to access internet and it is currently connected to the FW LAN for internet access
    The LAN port is connected as an interface in the FW marked as CATO. I setup the FW IP 10.1.79.2 to use its LAN Port as a GW 10.1.79.1

    My goal is to NAT 172.16.1.3 from my DMZ to 10.1.79.1.

    SO far my attempts are unsuccessful and hence wanted some help here.

    What I have done so far

    NAT 1:1 172.16.1.3 => 10.1.79.1 NAT reflection enabled

    In DMZ rules, allow DMZ net to access CATO net

    The result now

    On my server, I can ping 172.16.1.3 but it seems unreal as the TTL is > 1ms
    Ping to 10.1.79.1 is unsuccessful.

    On FW, it can ping 10.1.79.1
    it can ping 10.1.79.1 as DMZ interface.

    Any help is appreciated. THanks! :)

    V 1 Reply Last reply Oct 16, 2023, 12:52 PM Reply Quote 0
    • V
      viragomann @VincentEmmanuel
      last edited by Oct 16, 2023, 12:52 PM

      @VincentEmmanuel said in Unable to NAT an external ip to a gateway on another network:

      The CATO socket uses its WAN port to access internet and it is currently connected to the FW LAN for internet access

      Internet access across the firewall is working so far?

      My goal is to NAT 172.16.1.3 from my DMZ to 10.1.79.1.

      Which device is 172.16.1.3 assigned to? To the DMZ interface of pfSense?
      Can you state all interface IPs, please.

      Why NAT 1:1?
      As I got you, you want to call 172.16.1.3 on the DMZ server and get to 10.1.79.1?
      If the IP is assigned to pfSense a simple port forwarding should do the job.

      Which gateways are defined on pfSense?

      Which do the involved devices use as default gateway?

      I guess, all subnets are /24, as you didn't state.

      Why are you using a public IP space for the DMZ?
      Is it bridged to WAN or is it routed through pfSense?

      V 1 Reply Last reply Oct 16, 2023, 1:05 PM Reply Quote 0
      • V
        VincentEmmanuel @viragomann
        last edited by Oct 16, 2023, 1:05 PM

        @viragomann

        Yes internet access is working so far.

        Which device is 172.16.1.3 assigned to? To the DMZ interface of pfSense?
        172.16.1.3 is consider an external ip address, it does not belong to any interface on the FW. (It is a internal ip inside the cato network)

        172.65.1.0/24 (DMZ)
        10.65.1.0/24 (LAN)
        10.1.79.0/24 (CATO)
        118.xxx.xxx.xxxx (WAN)

        Gateway are
        WAN = > 118.xxx.xxx.xxxx (default)
        CATO => 10.1.79.1

        I set a rule to allow this particular DMZ server ip to access the CATO network via the CATO GW.

        S V 2 Replies Last reply Oct 16, 2023, 1:15 PM Reply Quote 0
        • S
          SteveITS Galactic Empire @VincentEmmanuel
          last edited by SteveITS Oct 16, 2023, 1:15 PM Oct 16, 2023, 1:15 PM

          @VincentEmmanuel If it’s not on your pfSense then pfSense doesn’t know about it so you need a static route:

          https://docs.netgate.com/pfsense/en/latest/routing/static.html#example-static-route

          Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
          When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
          Upvote 👍 helpful posts!

          V V 2 Replies Last reply Oct 16, 2023, 1:22 PM Reply Quote 0
          • V
            viragomann @VincentEmmanuel
            last edited by Oct 16, 2023, 1:20 PM

            @VincentEmmanuel said in Unable to NAT an external ip to a gateway on another network:

            172.16.1.3 is consider an external ip address, it does not belong to any interface on the FW. (It is a internal ip inside the cato network)

            So this means, the CATO will know, how to route this IP?
            And the CATO also know, how to route the source 172.65.1.12 back to pfSense?
            Since you say, pfSense is the default gateway, it should.

            In this case you would only need to add a static route to pfSense for 172.16.1.3 and point it to CATO. No NAT needed then.

            1 Reply Last reply Reply Quote 0
            • V
              viragomann @SteveITS
              last edited by Oct 16, 2023, 1:22 PM

              @SteveITS
              This isn't necessary here, since pfSense is the default gateway on the server. So it routes this IP to pfSense anyway.
              pfSense just need to forward it properly.

              S 1 Reply Last reply Oct 16, 2023, 2:07 PM Reply Quote 0
              • S
                SteveITS Galactic Empire @viragomann
                last edited by Oct 16, 2023, 2:07 PM

                @viragomann said in Unable to NAT an external ip to a gateway on another network:

                In this case you would only need to add a static route to pfSense

                but also

                This [static route] isn't necessary here

                ?

                Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                Upvote 👍 helpful posts!

                V 1 Reply Last reply Oct 16, 2023, 2:28 PM Reply Quote 0
                • V
                  viragomann @SteveITS
                  last edited by Oct 16, 2023, 2:28 PM

                  @SteveITS

                  If it’s not on your pfSense then pfSense doesn’t know about it so you need a static route:

                  This small statement and the fact that the TO was fighting with NAT let me assume, that you were talking about the DMZ host.

                  For sure, on pfSense itself there is a static route needed for this IP. NAT would also be possible though, but this would need an additional forwarding on the CATO.

                  S 1 Reply Last reply Oct 16, 2023, 2:45 PM Reply Quote 0
                  • S
                    SteveITS Galactic Empire @viragomann
                    last edited by Oct 16, 2023, 2:45 PM

                    @viragomann gotcha, agreed :)

                    Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                    When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                    Upvote 👍 helpful posts!

                    1 Reply Last reply Reply Quote 0
                    • V
                      VincentEmmanuel @SteveITS
                      last edited by Oct 17, 2023, 2:55 AM

                      @SteveITS said in Unable to NAT an external ip to a gateway on another network:

                      https://docs.netgate.com/pfsense/en/latest/routing/static.html#example-static-route

                      Thanks guys for the advices.

                      Yes, the CATO socket does have its internal routing which it will know how to route once it reaches its interface.

                      Let me conclude. I just needed a static route in my case 172.16.1.0/24 to gateway 10.1.79.1. Then set the rules to allow it in the CATO interface and then set outbound NAT for it. After which, my DMZ will be able to do a ping 172.16.1.3 and then the gateway should be able to response to the ping because it would forward that packet to the responding server in its network.

                      V 1 Reply Last reply Oct 17, 2023, 10:46 AM Reply Quote 0
                      • V
                        viragomann @VincentEmmanuel
                        last edited by Oct 17, 2023, 10:46 AM

                        @VincentEmmanuel
                        The outbound NAT should not be required here. All traffic will be controlled by routes if pfSense is the default gateway in both networks.

                        With the static route, when the DMZ server sends a packet to 172.16.1.3, it is routed to pfSense, since that's the default gateway. pfSense forwards it to the CATO due to the static route and the CATO forward it to the destination host, since it knows the route to it (however, your graphic is missing 172.16.1.3, so I don't know, how this is set up).

                        Presupposed the CATO is the default gateway on 172.16.1.3, the response packet will be routed to it, and there it is forwarded to pfSense, since this is the default gateway on the CATO, as you said. pfSense has an existing state for the packet and will forward it to the DMZ server.

                        1 Reply Last reply Reply Quote 0
                        11 out of 11
                        • First post
                          11/11
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                          This community forum collects and processes your personal information.
                          consent.not_received