Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Manual NAT. pf LAN -> L3 Switch -> 4 subnets… Do I need to create NAT rules?

    NAT
    2
    3
    1.9k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      sierradump
      last edited by

      I am so close to getting this to work.

      ISP gives me: 
      WAN – y.y.y.216 /30
      Pub IPs- x.x.x.224 /27

      pfSense Configuration:
      WAN:  y.y.y.218 /30  (gateway: y.y.y.217 /30)

      LAN_1:  10.10.1.0 /24  -> L3 Switch -> 3 other subnets (10.10.2.0, 10.10.3.0, 10.10.16.0)

      LAN_2:  172.16.10.0 /24

      LAN_3:  10.10.20.0 /24

      I've created the "routes" for those 3 "non native" interface subnets in LAN_1.

      When NAT is set to "Automatic", all 3 LAN interfaces (including the 3 extra subnets in LAN_1)  browse out to the internet and show a Public IP:  y.y.y.218.  This is expected and normal.

      BUT -- I want to use the public IPs now like this:

      LAN_1 to NAT from x.x.x.226

      LAN_2 to NAT from x.x.x.250

      LAN_3 to NAT from x.x.x.229

      First step I did was turn "Automatic NAT" off.  It created my default rules and I saw the option to edit the "translation address" --
      So, next step -- I added some virtual IP's and set them in the NAT rules under "translation address". 
      Everything seemed to work EXCEPT...

      PROBLEM:

      On LAN_1, the 10.10.1.0 network could browse the internet but the 3 other subnets could not - I figured out that they ALSO need their own NAT rules(?)    So I copied the 2 auto-created rules for the 10.10.1.0 network for my 10.10.2.0, 10.10.3.0 and 10.10.16.0 networks that are attached to that LAN_1 interface --> NOTE:  pfSense put these 6 new rules at the bottom? Does this matter?

      (remember, I already have routes for them in pfSense under "routing" and they worked fine with NAT set to "automatic").

      After I made the NAT rules I now had 4 networks, with rules that needed the SAME "translation address" and that is where the problem is maybe?  Can I not have rules (1 rule for each subnet) that use the same "translation address" VIP?

      It seems like this shouldn't be a problem because with "automatic NAT" every network uses the same WAN IP?  Plus -- Why do I have to create the rules for those 3 "extended" subnets in LAN_1 ONLY when I turn "automatic NAT" off?

      I am so close to getting this to work - I would really appreciate some help!

      1 Reply Last reply Reply Quote 0
      • P
        podilarius
        last edited by

        I do the same thing for my lab network. After creating a route and a LAN rule to pass traffic, I used AON (Advanced Outbound NAT) to create a rule to push my lab traffic out the WAN interface. I also have certain hosts using certain VIPs. I would make sure that the rule is exactly like the generated one execpt for the VIP and the subnet. Could you paste a screen shot of the AON and a rule edit within that?

        1 Reply Last reply Reply Quote 0
        • S
          sierradump
          last edited by

          Got it working… Since all my LAN subnets need to go out the same VIP - I simply created an NETWORK TYPE ALIAS from the "FIREWALL" tab and then added all 4 of my subnets to that.

          Then adjusted the AON outbound rules to use that alias.  Adjusted the firewall rules to use that Alias.

          It's now working!

          Many thanks to all who helped!

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.