Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Route internet from NAT

    General pfSense Questions
    3
    10
    224
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      Jsetive
      last edited by Jsetive

      Hello,

      I have one pfsense with problems getting updates, the ISP said that i need to configure the public IP as IP Aliases and put local ip as gateway and route everything trought them, the internet in Office is working, but i can't download packages and check if exist updates.

      IP: 100.64.136.210
      NETMASK: /30
      GTW IP: 100.64.136.209

      WAN IF:

      e1e650ea-b211-4f0f-b02c-808e5161122b-image.png

      Static Routes:

      1f615e91-c3e3-49eb-88fa-c8e116076493-image.png

      Outbound NAT:
      Vlan 10 is the local network.
      f6f34931-377c-4813-87aa-836e996a34c7-image.png

      a6d0e902-ac79-4f24-8ace-6502106b489d-image.png

      I can't ping from WAN IF:

      1f27e04b-c027-44b0-845c-da2f5989d7f7-image.png

      But i can from VLAN10 IF:

      d2284dc9-6332-468e-9bfe-ac8a499cb11c-image.png

      Thanks in advance

      S 1 Reply Last reply Reply Quote 0
      • S
        SteveITS Rebel Alliance @Jsetive
        last edited by SteveITS

        @Jsetive your WAN gateway is set to None.

        I guess you created your static route manually? Just set a gateway.

        Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
        When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
        Upvote ๐Ÿ‘ helpful posts!

        1 Reply Last reply Reply Quote 0
        • stephenw10S
          stephenw10 Netgate Administrator
          last edited by

          Mmm that static route seems odd there. That should just be the default route anyway. Just add the gateway to the WAN directly as @SteveITS said.

          Did you add that public IP as a VIP on WAN? Can you ping from that directly?

          You may need an outbound NAT rule for traffic from the firewall itself if the ISP will not correctly route traffic from the CGN address.

          Steve

          J 1 Reply Last reply Reply Quote 0
          • J
            Jsetive @stephenw10
            last edited by

            Do you mean set this?

            4ad49509-2ee2-4de3-bd20-2e07261dbcc6-image.png

            This was the old setup, i've remove since i got same state with and without upstream gateway set.

            Did you add that public IP as a VIP on WAN? Can you ping from that directly?

            Yes

            ae99d710-056f-42a5-8e73-c529ae3025db-image.png

            1 Reply Last reply Reply Quote 0
            • stephenw10S
              stephenw10 Netgate Administrator
              last edited by

              Ok well I would go back that setup with the gateway on WAN dircetly. That will add a default route and the static route is just confusing.

              Do you have outbound NAT in hybrid or manual mode? You should use hybrid mode there otherwise none of the auto rules will be generated.

              J 1 Reply Last reply Reply Quote 0
              • J
                Jsetive @stephenw10
                last edited by

                @stephenw10

                The outbund NAT is in Hybrid.

                S 1 Reply Last reply Reply Quote 0
                • S
                  SteveITS Rebel Alliance @Jsetive
                  last edited by

                  @Jsetive Traceroute to 8.8.8.8 from WAN.

                  Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                  When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                  Upvote ๐Ÿ‘ helpful posts!

                  J 1 Reply Last reply Reply Quote 0
                  • J
                    Jsetive @SteveITS
                    last edited by

                    @SteveITS

                    From WAN IF i can't made one traceroute, but i can from IP:

                    6d812c85-20c2-4de5-991e-888110650533-image.png

                    S 1 Reply Last reply Reply Quote 0
                    • S
                      SteveITS Rebel Alliance @Jsetive
                      last edited by

                      @Jsetive how far does the traceroute on WAN get?

                      Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                      When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                      Upvote ๐Ÿ‘ helpful posts!

                      1 Reply Last reply Reply Quote 0
                      • stephenw10S
                        stephenw10 Netgate Administrator
                        last edited by

                        It sounds like the /30 CGN subnet is used for transport only and it not routed (or NAT'd) by the ISP.

                        In which case you would need to source traffic from the firewall itself from the public VIP.

                        To do that you need an outbound NAT rule that matches it.

                        An alternative here might be to set the public IP as the primary WAN address wit the CGN address (100.64.136.210) as the VIP.

                        To add the gateway to the WAN you would need to set the advanced gateway option: Use non-local gateway

                        This is a very unusual config!

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.