NAT issues - need to NAT on internal network



  • I think I am probably doing something wrong, if not, I found a bug.

    First of all, I am trying to setup a moderately complex network, diagram attached.

    I found I was unable to reach the modem management interfaces in my configuration (just trying the internal and LAN server setup atm), because the modems are stupid and don't understand that there might be a route to a non-local-ip from an internal interface.  Both of them have one pass-through port, which is where I have the connection for my WAN, and 3 internal/management ports, addressible as 192.168.1.X (I can configure the X at least).

    I couldn't figure out how to get my internal machines to NAT to the modem's network, so it would appear to be coming from the pfsense interface, until I set a gateway up for that network.  As soon as I did that, my nat rule worked, and removing the gateway breaks the NAT.  (This is despite the network being in the routing table.)

    (table below isn't showing for me in preview, but does highlight, strange)

    | if | Proto | src. addr | src ports | dest. addr | dest ports | nat ip | natports |
    | LAN | TCP | LAN net | * | Modem1 ip | 80 | Modem1 ip | * |
    | LAN | TCP | LAN net | * | Modem2 ip | 80 | Modem2 ip | * |

    Name                Interface                   Gateway
    modemGW MODEMNETWORK 192.168.1.1

    Any clue what I am missing, or why it only works with the gateway?  Also, any recommendations or good references to ease setting up the network config I plan? (lots of my neighbors don't have wifi, and I'm across from the city library with good signal into it, so I want to provide people there free, good internet as well)

    ![home network.png](/public/imported_attachments/1/home network.png)
    ![home network.png_thumb](/public/imported_attachments/1/home network.png_thumb)



  • How many lans/vlans you have?
    How those are setup?



  • I have 5 LANs, 2 WANs,

    each of the black lines is a seperate LAN, and the red is also LAN, but access to it should only be from one of the other LANs, via NAT.  I have not configured it, but I will likely need two VLANS, one for the TOR server, one for everything else in the server network (which will just be the default).

    WAN is is configured with IP1's address, gateway, network, etc.
    LAN is the internal network
    opt1 is the connection to the modem interface
    opt2 is the connection for my second WAN ip/gateway/etc.
    opt3 is my IPTV
    opt4 is my open wireless
    opt5 is the network for servers, I am considering just putting the TOR server on a second IP address block, and having two IP address ranges for this interface, since the only switches I have are unmannaged.  Looking for cheap managed switches to VLAN it later.



  • And youre having different subnet for all?

    Fine,
    rule on opt3
    pass optsubnet * optsubnet * * * advanced features select different gateway. make sure that this is before allow any rule



  • My problem has nothing to do with OPT3, I have that working fine.

    My problem is I have to set a gateway on OPT1 in order for NAT rules to work.  With a gateway, the NAT rule I listd works for the interface, but without it, it does not.  This shouldn't be, as I understand it.  Am I right, or am I wrong?  If I am wrong, what do I need to change?



  • I had once the same problem, then i updated pfsense and it was gone.

    Have you manual outbound nat in use?


Locked