(FIXED) Nat VLAN Subnets - Seperate IP Addresses on WAN for Outbound Traffic



  • Resolved:

    So now I feel a bit silly, but will post this just in the event anyone else can benefit from it.  It seems that if you leave the default NAT mode set to Automatic it put all of the VLAN's on the Internal interface into a NAT table that overrode any of the rules put in after that.  Once I switch the NAT mode to manual, it started working perfectly.  Now on to the final two items -> IPSEC site-to-site and Mobile VPN tunnels.  In the process I will throw together a guide with what I did to get this setup to work over the next week or two.  One question I will throw out there for the pfSense experts is that now when I look at the states via the web interface or via commandline by running pfctl -s state I see the following

    tcp 10.50.3.150:2067 -> 192.168.20.11:64606 -> 69.192.156.57:80 ESTABLISHED:ESTABLISHED
    tcp 69.192.156.57:80 <- 10.50.3.150:2068 ESTABLISHED:ESTABLISHED

    I understand the first is the outgoing translated traffic.  I am not sure I understand the second.  It would seem that the second line should read something like this:

    tcp 69.192.156.57:80 <- 192.168.20.11:64606 <- 10.50.3.150:2068 ESTABLISHED:ESTABLISHED

    Can someone help me understand what I am reading here?  Thanks again in advance!

    ================================================================

    Orginal Post:

    We have a setup where we have two seperate public routeable subnets behind a single public WAN address:
    –------------------------------
    Internet -> (PFSense Wan Interface) 203.10.224.156/29 -> (IP Block) 203.10.224.128/28 (Virtual IP's?)
                                                       |                             -> (IP Block) 203.10.224.160/28 (Virtual IP's?)
                                                       |
                                                       |
                    (PFSense Lan Interface) 10.100.1.254/24
                     ->VLAN12 Lan Address 10.100.2.254/24 (Need to NAT Outgoing to 203.10.224.129 on Wan Interface)
                     ->VLAN13 Lan Address 10.100.3.254/24 (Need to NAT Outgoing to 203.10.224.130 on Wan Interface)
                     ->VLAN14 Lan Address 10.100.4.254/24 (Need to NAT Outgoing to 203.10.224.131 on Wan Interface)
                     ->VLAN15 Lan Address 10.100.5.254/24 (Need to NAT Outgoing to 203.10.224.132 on Wan Interface)
                     ->VLAN16 Lan Address 10.100.6.254/24 (Need to NAT Outgoing to 203.10.224.161 on Wan Interface)
                     ->VLAN17 Lan Address 10.100.7.254/24 (Need to NAT Outgoing to 203.10.224.162 on Wan Interface)

    From the Internet we will also need to forward traffic from various ports to different systems on that particular subnet.  Example:

    Incoming From Internet To 203.10.224.129:80 -> 10.100.2.10:80
    Incoming From Internet To 203.10.224.129:25 -> 10.100.2.11:25
    Incoming From Internet To 203.10.224.129:443 -> 10.100.2.12:443

    Incoming From Internet To 203.10.224.130:80 -> 10.100.3.10:80
    Incoming From Internet To 203.10.224.130:25 -> 10.100.3.11:25
    Incoming From Internet To 203.10.224.130:443 -> 10.100.3.12:443

    Since we cannot take down our live network to do this, I tested in the shop using the following setup:


    Internet -> (PFSense Wan Interface) 10.50.1.251           -> (IP Block) 192.168.20.0/24 (Virtual IP's?)
                                                       |                             -> (IP Block) 192.168.30.0/24 (Virtual IP's?)
                                                       |
                                                       |
                    (PFSense Lan Interface) 10.100.1.254/24
                     ->VLAN12 Lan Address 10.100.2.254/24 (Need to NAT Outgoing to 192.168.20.129 on Wan Interface)
                     ->VLAN13 Lan Address 10.100.3.254/24 (Need to NAT Outgoing to 192.168.20.130 on Wan Interface)
                     ->VLAN14 Lan Address 10.100.4.254/24 (Need to NAT Outgoing to 192.168.20.131 on Wan Interface)
                     ->VLAN15 Lan Address 10.100.5.254/24 (Need to NAT Outgoing to 192.168.20.132 on Wan Interface)
                     ->VLAN16 Lan Address 10.100.6.254/24 (Need to NAT Outgoing to 192.168.30.161 on Wan Interface)
                     ->VLAN17 Lan Address 10.100.7.254/24 (Need to NAT Outgoing to 192.168.30.162 on Wan Interface)

    From the Internet we will also need to forward traffic from various ports to different systems on that particular subnet.  Example:

    Incoming From Internet To 192.168.20.129:80 -> 10.100.2.10:80
    Incoming From Internet To 192.168.20.129:25 -> 10.100.2.11:25
    Incoming From Internet To 192.168.20.129:443 -> 10.100.2.12:443

    Incoming From Internet To 192.168.20.130:80 -> 10.100.3.10:80
    Incoming From Internet To 192.168.20.130:25 -> 10.100.3.11:25
    Incoming From Internet To 192.168.20.130:443 -> 10.100.3.12:443

    The above are not our real ip addresses but all the information is accurate as to give an example of what we are trying to accomplish.  I have not tried to do anything yet with the incoming NAT right now as I wanted to start simple by getting the outbound nat working appropriately.  I have successfully gotten this to work on a vanilla install of OpenBSD, but really like the interface to pfSense and would like to know if it is possilbe to accomplish the same with it or not.  It seems like it should be, but I must be missing something.  I am using the latest 2.0 Image that was available as of today.

    I have done the following:
    1. Created all the VLAN interfaces on the internal interface.
    2. Configured IP's as shown above for the LAN, WAN, and VLAN Interfaces
    3. Set a Firewall Rule to allow Traffic from the LAN and each of the VLAN's to Any to Pass
    4. Created a Virtual IP for each of the addresses I want to NAT outgoing traffic from each of the subnets to (Proxy Arp)
    5. Created a Nat firewall rule to NAT all traffic from the VLAN network to any to the Virtual IP I setup

    In theory it seems like this should work, but it does not.  I can pass traffic no problem if I NAT the traffic to the WAN interface address, but cannot get it to work if I try to NAT it to a Virtual IP for outgoing.  I must be doing something wrong here, but am at a loss to figure it out as of yet.  My guess is I am not understanding properly how to use the Virtual IP.

    If you wonder why we need to accomplish the above, it is because we provide certain sets of services to the systems that may have several or more systems in a subnet.  We need that subnet segregated from the others and we need the external IP's set so that if say something happens and one of the external IP's gets blacklisted, it will not affect all the systems in the other subnets (we are in no way sending SPAM - just an easy example to show reasoning).  Essentially we want all services provided on a particular subnet to come in on one IP and all communication out from that subnet to go out on that same IP.

    Any help would be greatly appreciated.  We are currently using an ASA to do the above, but due to needing to replace hardware, we wanted to explore other alteratives.  I promise if we get this working to provide some sort of step by step guide to get this particular setup going - it may already be out there, but I haven't found it yet.

    Thanks in advance!


  • Rebel Alliance Developer Netgate

    @bshack:

    So now I feel a bit silly, but will post this just in the event anyone else can benefit from it.  It seems that if you leave the default NAT mode set to Automatic it put all of the VLAN's on the Internal interface into a NAT table that overrode any of the rules put in after that.  Once I switch the NAT mode to manual, it started working perfectly.

    FYI- That is expected behavior. If you are on automatic, the manual rules are ignored. In order to use the manual rules, you have to be on manual outbound NAT.

    EDIT: I modified the text on the page on 2.0 to be a bit more clear, spelling out that in automatic mode the rules are ignored.


Log in to reply