Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    NAT problem on OPT-WAN

    Scheduled Pinned Locked Moved NAT
    16 Posts 5 Posters 6.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      fluca1978
      last edited by

      Hi all,
      I've got an OPT WAN with a subnet different from the main WAN, but still working with public IPs. I've enabled a port forward between the interface and two machines behind the firewall; such machines are using the firewall itself as main router:

      
      rdr on re2 inet proto tcp from any to XX.XX.XX.138 port = http -> XX.XX.XX.140
      rdr on re2 inet proto tcp from any to XX.XX.XX.138 port = ssh -> XX.XX.XX.140
      rdr on re2 inet proto tcp from any to XX.XX.XX.138 port = pop3 -> XX.XX.XX.140
      rdr on re2 inet proto tcp from any to XX.XX.XX.138 port = 2525 -> XX.XX.XX.140
      rdr on re2 inet proto tcp from any to XX.XX.XX.138 port = 8080 -> XX.XX.XX.139
      rdr on re2 inet proto tcp from any to XX.XX.XX.138 port = smtp -> XX.XX.XX.139
      rdr on re2 inet proto tcp from any to XX.XX.XX.138 port = https -> XX.XX.XX.139
      
      

      This is working fine for incoming traffic, however outgoing traffic is going with the IP address of the machine (XX.XX.XX.140 or XX.XX.XX.139) while I'd like to have only the interface address (XX.XX.XX.138). In other words I'd like to have full Outgoing NAT of the OPT WAN on its address.
      I've enabled the Outgoing NAT do achieve that:

      
      nat on re2 inet from XX.XX.XX.136/29 to any -> (re2) port 1024:65535 round-robin
      
      

      However if I try to connect to services like http://whatismyipaddress.com/ I still see the machine ip address.

      I've also tried to adda  a virtual IP and NAT on it:

      
      nat on re2 inet from XX.XX.XX.136/29 to any -> XX.XX.XX.138 static-port
      
      

      but it is still not working. It seems as the firewall is letting every traffic pass through the interface without natting it. What am I missing here?

      1 Reply Last reply Reply Quote 0
      • E
        Eugene
        last edited by

        are your XX literally the same? I mean do you have the same subnet on OPT-WAN interface and on local machines?

        http://ru.doc.pfsense.org

        1 Reply Last reply Reply Quote 0
        • F
          fluca1978
          last edited by

          Yes of course, all XX represents the same IP number in my network, that has a mask of 255.255.255.248 (/29).

          1 Reply Last reply Reply Quote 0
          • E
            Eugene
            last edited by

            And to which interface are these servers connected? Are you doing bridging?

            http://ru.doc.pfsense.org

            1 Reply Last reply Reply Quote 0
            • O
              overand
              last edited by

              Can you post screenshots of your Outbound NAT and LAN Firewall rules pages?

              1 Reply Last reply Reply Quote 0
              • F
                fluca1978
                last edited by

                @Evgeny:

                And to which interface are these servers connected? Are you doing bridging?

                Servers are connected to the opt-wan interface, that is also their default gateway. I'm not doing bridging, but the opt-wan is part of the load balancer. could it be a probelm? I cannot actually get screenshot of the configuration (only ssh access from here), is there anything I should look for?

                1 Reply Last reply Reply Quote 0
                • F
                  fluca1978
                  last edited by

                  Besides the outgoing WAN, I've tried to disable it and connected to an external server both via ssh and web, the result is that the server connects from its address, that is the pfsense box is not doing any nat. This could be good since the network connected to the OPT WAN is not a pure LAN, but a LAN. However, since each server is using the pfsense as router, the pfsense box should do the NAT-ting of incoming packets on any interface.

                  To make it clearer, this is my situation:

                  LAN –- pfsense ---- WAN  (from LAN to WAN nat is ok!)
                                  |
                                  +------- server1, server2, server3
                                  |
                                  OPT WAN (here from server1,2,3 no nat, even if specified in outgoing)

                  It seems the server is not using the nat rule specified in outgoing nat, but I cannot understand why. I've checked with traceroute from the servers and the logs into the pfsense machine and I can see the traffic going thru the interface, but it seems that the box is forwarding the traffic as it is before the nat rule passes. Could it be a problem of ordering of the pf rules?

                  1 Reply Last reply Reply Quote 0
                  • F
                    fluca1978
                    last edited by

                    I attach screenshots of the configuration of my optional wan, port forwarding and outbound nat. Anyone sees something wrong in the configuration?
                    I really don't understand what I'm missing here.

                    interface.png
                    interface.png_thumb
                    outbound.png
                    outbound.png_thumb
                    port_forwarding.png
                    port_forwarding.png_thumb

                    1 Reply Last reply Reply Quote 0
                    • S
                      scoop
                      last edited by

                      What is the default gateway for server1,2,3? I suspect it's xxx.xxx.xxx.142. For outbound NAT de servers need to be behind the pfsense firewall, not next to it in the same subnet.

                      1 Reply Last reply Reply Quote 0
                      • F
                        fluca1978
                        last edited by

                        No, each server has the pfsense machine as router, and I've double checked it also with traceroute.

                        1 Reply Last reply Reply Quote 0
                        • S
                          scoop
                          last edited by

                          Ok, but  your network drawing from a few posts earlier shows otherwise. AFAIK even with pfSense as the default gateway, it won't do outbound NAT this way, but only an ICMP redirect to the default gateway (xxx.xxx.xxx.142). A tcpdump might reveal this behaviour.

                          1 Reply Last reply Reply Quote 0
                          • F
                            fluca1978
                            last edited by

                            Uhm…so there is no way to do outbound nat on an optional WAN? What is therefore outbound nat purpose?
                            If anyone has a suggestion on how to achieve what I want please advice, I'm quite stressed by this...
                            Thanks

                            1 Reply Last reply Reply Quote 0
                            • K
                              kpa
                              last edited by

                              The purpose of outbound NAT is rewriting of source address (and port sometimes) in ip packets, usually used to hide private rfc1918 (10/8, 172.16/12 and 192.168/16) addresses from appearing in packets when they reach the real internet where they would be dropped.
                              In your case I think the problem is that pf (the packet filter in pfSense) can't do NAT for packets that would leave the firewall via the same interface they came in.

                              1 Reply Last reply Reply Quote 0
                              • S
                                scoop
                                last edited by

                                If you want the outbound NAT function to work, the traffic needs to come in from a different interface. So you'll need a separate interface (and subnet) for the servers. That way you can also protect the servers with the firewall (which is currently not the case). But obviously you won't be able to use the public IP's from the same subnet then.

                                1 Reply Last reply Reply Quote 0
                                • F
                                  fluca1978
                                  last edited by

                                  @scoop:

                                  If you want the outbound NAT function to work, the traffic needs to come in from a different interface. So you'll need a separate interface (and subnet) for the servers. That way you can also protect the servers with the firewall (which is currently not the case). But obviously you won't be able to use the public IP's from the same subnet then.

                                  This souds reasonable!
                                  Now, since I'm curious, what could happen if I bridge an interface to the public one, so that I keep the server with the public IPs and routed thru a bridged interface? Could this improved/solve the NAT problem or nothing chanes?

                                  1 Reply Last reply Reply Quote 0
                                  • S
                                    scoop
                                    last edited by

                                    I thought about this, but I'm not sure wether it'll work. But since the firewall part also works with bridging, I see no reason why it wouldn't work. Apart from it being theoretically possible, why would you want to perform NAT on public IP's?

                                    1 Reply Last reply Reply Quote 0
                                    • First post
                                      Last post
                                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.