NAT with WAN subnet



  • Hi.

    I'm having some problems setting up NAT when using multiple external adresses (ie. a /29 subnet). I have a WAN interface set up as x.x.x.18/29 but when making NAT rules, I can't select the individual adresses - only "WAN address" or "Any".

    When attempting to use 1:1 NAT I can't get it to work either - and yes, of course I remembered to add firewall rules  ;)

    Any hints would be appreciated!

    Regards,
    Martin Kruse



  • i have the same problem, if you fix tell me please and viceverse thanks



  • i have the same problem, if you fix tell me please and viceverse thanks ;D


  • Rebel Alliance Developer Netgate

    You need to setup Virtual IPs to use the additional IPs for NAT. Check the doc wiki for more details (see the link in my sig)



  • hello jimp

    believe me, i allready read all the wikis and tutorials and simply i can't make pfsense work in the way that i want, i used ebox and it wasn't dificult of configure because has the form to add aliasses to the nics, i've tried to add virtuals ips in all the ways, Proxy CARP, CARP IP and Other and none works, the only advance is when i configure CARP IP i received response with ping but only from internal network because externally not.

    I only can NAT the ip of my physical interface, but if i try with VIP i can not

    the last thing that i will to try before return to ebox is this:

    http://doc.pfsense.org/multiple-subnets-one-interface-pfsense.pdf

    if that dont work then i have not more option :S

    i really like pfsense, especially for the captive portal, although seems no work with my vlans but i can't try to fix this without before fix the nat to my services.

    jimp if you can help us i explain my situation and maybe 7lemo loproc could fix theirs situation too.

    well, i have one range with the next configuration

    Range - x.x.x.224/28 (netmask 255.255.255.240, i can use ip from .226 until .238)
        Gtw  - x.x.x.225
        DNS1  - 200.33.146.217
        DNS2  - 200.33.146.209

    i use in my physical interface the ip x.x.x.229 for issues of web domain.

    what have i done?

    Well

    1. i install pfsense.

    2. i configure WAN IP in the next way

    ip: x.x.x.229
      gtw: x.x.x.225
      dns: x.x.x.217

    1. i chance my LAN for issues of route table to:

    LAN ip: 192.168.1.254

    1. i declare 2 static routes to have internet access in my vlans (the IP 192.168.1.21 is my next hope in table routing for reach vlans)

    <staticroutes><route><interface>lan</interface>
    <network>172.16.0.0/16</network>
    <gateway>192.168.1.21</gateway></route>
    <route><interface>wan</interface>
    <network>0.0.0.0/32</network>
    <gateway>x.x.x.225</gateway></route></staticroutes>

    1. with this i have internet access in both ranges 192.168.1.0 (servers) and 172.16.0.0 (vlans, users network)

    2. HERE IS THE PROBLEM, i can't public VIPs, i go to:

    VIP MENU and declare one CARP IP

    x.x.x.230/28

    1. i go to NAT MENU and declare one rule using the VIP like source with HTTP protocol and NAT to 192.168.1.73 with tha same protocol HTTP

    i leave check the automatic firewall rule generation, accept, apply changes

    1. i go to web browser, type address x.x.x.230 and eureka!!! Nothing Happens :s

    2. what im doing wrong?
        what should i do?

    3. Thanks in advance jimp.


  • Rebel Alliance Developer Netgate

    For starters, only CARP will respond to ping, and that is only because ping is hitting pfSense, not the target of the NAT entry. If you add an explicit "port forward" for ICMP to the inside host, it should work with proxy arp IPs also.

    See the VIP entry in the doc wiki here:
    http://doc.pfsense.org/index.php/What_are_Virtual_IP_Addresses%3F

    Second, you cannot accurately test port forwards from inside of your own network. You must test them from outside your network. You can enable NAT reflection, which might work in some situations, but not all.

    The proper troubleshooting for port forward issues is here:

    http://doc.pfsense.org/index.php/Port_Forward_Troubleshooting



  • thanks for response jimp

    I had read those wiki and troubleshooting articles and too that i need to test the port forwards from outside the network, i tested de ports with help of one messenger's friend, the only thing that i didn't know was that about the explicit port forward for icmp and thanks for tell me.

    but my question is if im doing the things good?

    or how would you do?

    Thanks again jimp


Log in to reply