Out of NAT into Bridge - can't get past the WAN?



  • Hi,

    I have a setup with 3 interfaces:

    WAN Bridged with Public (Multiple public subnets bridged)
    LAN

    I have a host on the LAN only, on 192.168.0/24.

    I have another host on Public only, on a public IP address, which is NOT the same subnet as pf's main WAN IP.  I can get data through to any server that is on the same subnet as the WAN IP, but not any other server that is on a different subnet.  Externally everything works, its only when i'm coming out of NAT?

    I have allowed anything on the filter for the Public and LAN interfaces, and have the port open i'm trying to telnet on open on the WAN interface.

    I've packet captured, and can see the traffic goes out of the NAT ok and hits the routers main WAN IP, but at that point it stops.  Perhaps the issue is it shouldn't be going to the routers main WAN ip and going straight to the bridged IP?

    Thanks,

    Elliot



  • Hello,

    @Elliot:

    I have a setup with 3 interfaces:

    WAN Bridged with Public (Multiple public subnets bridged)

    Sounds strange - you don't bridge subnets. Bridging happens on osi-2 while subnets life at osi-3. Usually you route between subnets…

    @Elliot:

    LAN
    I have a host on the LAN only, on 192.168.0/24.

    I have another host on Public only, on a public IP address, which is NOT the same subnet as pf's main WAN IP.  I can get data through to any server that is on the same subnet as the WAN IP,
    but not any other server that is on a different subnet.  Externally everything works, its only when i'm coming out of NAT?

    I guess, that you've mixed up bridging and routing.
    If you want to access hosts at the wan-interface, that are not part of the wan-interface's subnet you must have a way for packets going back and forward.
    In other words: There must be a router routing between those subnets. This can either be done at pfsense (if so, pfsense must be present for every public address range) or by an another router.
    The router may nat / masquerade, but must be reachable by all participants. I don't see what bridging will accomplish here.

    Keep smiling
    yanosz


Log in to reply