Private WAN-address and public LAN-address Nat-problems



  • Hi,

    I have a private WAN-address for routing into ISP-cloud. For LAN, I have public IP-addresses.

    When I assing correct addesses to WAN and LAN interfaces, the pfsense start automatically doing NAT for these LAN-addresses when I try to go to Internet. Naturally this does not work.

    Is there a way to disable NAT for LAN-addresses.

    Also the pfsense itself can not connect to pfsense-website since it is trying to use private WAN-address as the address for its outbound traffic. Can I somewhere select/configure it so that pfsense would use its LAN-address for all the outbound traffic?



  • This is a pretty strange setup. However you can disable NAT by going to firewall>nat, outbound tab and enabling advanced outbound nat. Then delete all the automatically created rules that are created in the table at the bottom. Save and apply.



  • We took out the operator provided router (which had on its WAN interface a private address) and replaced it with pfsense firewall. That is the reason why we this strange setup.

    However, still the problem remains that Pfsense itself can not communicate with the Pfsense.com website to check updates or packakges. When doing tcpdump on wan interface, I see that the Pfsense-platform is using the Wan-port address which will route outside this operators network. Is there a way to change the address that Pfsense uses to communicate to Pfsense.com ??



  • I don't get how the routing should work for the public IPs if the WAN IP has no internet connectivity? Don't they NAT the private IPs somewhere in their setup before they leave into public IP space again?



  • No, they do not NAT the traffic, it is only within the operators own network cloud where they use 172.x.y.z addresses as link addresses between different IP-routers.

    When this operators network connects to public Internet, they announce all the public IP-addresses that their customers are using behind those 172.x.y.z based link addresses. I would think that this is fairly common thing that different operators do, in order not waste public IP-addresses for core links.

    We could have left the operator provided Cisco router in place, and then we would only have this public IP-address subnet to play with. We also have different IP-subnet addresses (public ones again) for DMZ.



  • did you tell pfsense that it has not to block the 172.x.y.z/192.168.x.y/10.x.y.z on the wan port ?
    if not then all youre trafic to the 172 network on the wan port is blockt
    becourse those ip's are not for use on the internet



  • In the Interfaces WAN:

    I have checked the option:  Block private networks

    I have created NAT-outbound my LAN-addresses in order not to NAT them to this 172…-address.
    I have also enabled advanced outbound nat -option



  • @Jakk:

    In the Interfaces WAN:

    I have checked the option:  Block private networks

    this needs to be uncheckt
    so that pfsense is not blokking you
    172.x.y.z/192.168.x.y/10.x.y.z  are prived networks and are normal not living on the wan site of pfsense



  • Thanks, but…

    The problem is that pfsense-itself needs to use its LAN-address (195.x.y.1) when connecting to
    pfsense-site to check updates/packages/etc...

    Now it insist using WAN-address 172.a.b.c for this traffic. Naturally this link-address can not connect anywhere in the real Internet. It can only route/connect within the operators network.



  • you got a pretty messed up network
    pfsense will alway's use the wan for its connections
    wan is for internet
    and lan is for youre network



  • I understand what you are wanting to do.

    Add static routes for the DNS servers, forcing them out a custom gateway.  Do the same for the pfsense.com addresses.



  • @Jakk:

    No, they do not NAT the traffic, it is only within the operators own network cloud where they use 172.x.y.z addresses as link addresses between different IP-routers.

    Just wondering, but it is your ISP Covad by any chance?  I have dealt with several Covad DSL setups where the WAN range from their side is a 172.x.x.x network, and the LAN range is your normally used public range.

    Thanks…


Log in to reply