NAT to modem on WAN not working on 9/20 NanoBSD build
-
Hi there,
I am trying to access my modem on the WAN interface through pfSense which worked great in 1.2.3, but not now anymore. I have a LAN which is 10.0.100.0/24 and on WAN there is a modem with 192.168.2.1. I have set up NAT as you can see in the attached screenshot and defined a secondary ip on my external interface which is 192.168.2.254. When I try to ping the modem, tcpdump tells me that my workstation ip with 10.0.100.x comes out my external interface, so NAT is somehow not applied…
Any ideas?
Here ist the NAT section from /tmp/rules.debug:
# Outbound NAT rules nat on $WAN from 10.0.100.0/24 to !192.168.2.1/32 -> 79.223.222.66/32 port 1024:65535 nat on $WAN from 10.0.100.0/24 to 192.168.2.1/32 -> 192.168.2.254/32 port 1024:65535tcpdump on external interfaces:
tcpdump -lnv -i vr1 host 10.0.100.245 tcpdump: listening on vr1, link-type EN10MB (Ethernet), capture size 96 bytes 19:11:49.915263 IP (tos 0x0, ttl 63, id 32421, offset 0, flags [none], proto ICMP (1), length 84) 10.0.100.245 > 192.168.2.1: ICMP echo request, id 24326, seq 0, length 64 19:11:50.915620 IP (tos 0x0, ttl 63, id 35268, offset 0, flags [none], proto ICMP (1), length 84) 10.0.100.245 > 192.168.2.1: ICMP echo request, id 24326, seq 1, length 64 19:11:51.916124 IP (tos 0x0, ttl 63, id 23994, offset 0, flags [none], proto ICMP (1), length 84) 10.0.100.245 > 192.168.2.1: ICMP echo request, id 24326, seq 2, length 64 19:11:52.916642 IP (tos 0x0, ttl 63, id 12783, offset 0, flags [none], proto ICMP (1), length 84) 10.0.100.245 > 192.168.2.1: ICMP echo request, id 24326, seq 3, length 64 ```    -
I had what appeared to be the same issue with the 2.0 BETA4 version from 9/17 as well. When I first installed it, I tried various things and it finally started working - I believe it was after I disabled automatic NAT. It worked well for several days, until I rebooted it in an effort to get the Quality graphs working (all other RRD graphs were working fine), but after the reboot, it wouldn't NAT my traffic. I could get into the WebGUI, and could see that pfSense was able to get out to the Internet, but I couldn't, sitting behind the pfSense box. This was with the nanoBSD version on a Soekris net4801. I had copied my working slice over to the secondary slice after everything was up and running, but once it stopped NATing (after a reboot), switching to the "known good" slice didn't fix my issue. I tried various things for about an hour, but had no luck in getting it to work and ultimately hooked my Mikrotik back to my DSL line. (PPPoE with AT&T in the former BellSouth area)
-
Well the regular NAT rule for my internet traffic works just fine, it is only the "modem NAT" which is not working…
-
Ah - Well that is different then…. Sorry - Don't mean to hijack your thread.
-
I'm guessing your modem is doing PPPoE or something similar. If that's the case, you don't need the vip interface defined. Just define OPT1 or OPTx if 1 is taken as a DHCP interface and select the physical port that your modem connects to. It should all work automatically. The PPPoE protocol doesn't care if the physical interface has a dynamic or static IP, because it's only using the physical transport and defining it's own pppoe interface.
If this doesn't make sense, please post more details about your configuration and ISP connection type.
GB
-
FYI- I documented the procedure for 2.0 a week or so ago:
http://doc.pfsense.org/index.php/Accessing_modem_from_inside_firewall#Configure_a_new_Interface
-
I read the intructions in the link. I got it to work by configuring DHCP client on the interface connected to my modem, and I didn't touch anything in the NAT configuration. That traffic doesn't need to be NATed I think.
GB
-
I read the intructions in the link. I got it to work by configuring DHCP client on the interface connected to my modem, and I didn't touch anything in the NAT configuration. That traffic doesn't need to be NATed I think.
Unless your modem will take a static route then you need to use outbound NAT. I use AON but not dhcp*, and create a gateway on the modem's subnet and assign that gateway to the physical interface. The use of the gateway triggers the necessary AON rules to make it all happen. If you use dhcp on that interface then the gateway is created and assigned for you automatically.
*If your modem's dhcp server doesn't respond, pfsense will hang indefinitely on bootup, last time I tried, anyway. The only way past this is to reset your modem or connect a pc to it directly to turn the dhcp server back on. Or reinstall pfsense.
-
I'm guessing your modem is doing PPPoE or something similar. If that's the case, you don't need the vip interface defined. Just define OPT1 or OPTx if 1 is taken as a DHCP interface and select the physical port that your modem connects to. It should all work automatically. The PPPoE protocol doesn't care if the physical interface has a dynamic or static IP, because it's only using the physical transport and defining it's own pppoe interface.
If this doesn't make sense, please post more details about your configuration and ISP connection type.
GB
No. Modem is not doing PPPoE. pfSense does. With my config it worked well in 1.2.3. I will check out Jim's link now…
-
FYI- I documented the procedure for 2.0 a week or so ago:
http://doc.pfsense.org/index.php/Accessing_modem_from_inside_firewall#Configure_a_new_Interface
Hey Jim!
That was exactly the info I needed! Thanks, now it works as expected!
