Reflection question for 2.0-Release

pmalecka

Hey Guys,

as this is my first post in this forum, please bear with me, if I say/do something wrong.

so, to the problem.

I've got a pfsense 2.0-Release box, where I want to implement NAT Reflection - as split DNS is not an option for my case.

The firewall box (there are actually two of them), is a rather slow and old machine, with only 100MB interfaces, so I couldn't let it do all the routing on my Gbit network. That's why I have a core L2+ switch between the firewall and the whole internal network. The default GW on the LAN interface on my firewalls is the ip of the core switch (and there is also one static route on the fw, which leads the desired LAN traffic to the /18 network), and the default gateway on the core switch is the IP of the LAN interface on pfSense FWs. Finally, default gateway set on the firewall is on the WAN interface, provided by my ISP.

Now, to my problem/question. As I want to make use of NAT reflection, I am running into a bit of a problem. Interfaces that are allowed for NAT reflection are obviously (according to the filter.inc code) not allowed to have a default GW set, therefore I cannot have reflection on my LAN interface (because in my case, it has a default GW set).

Is there any way around this, except for removing the default GW on the FW LAN interface, or hacking the code?

Thanks

Peter

jimp

Why is the LAN the firewall's default gateway? Does it not connect to the internet?

You'd want the default gateway to be WAN, and then have static routes pointing all of your internal subnets to the switch. No gateway should be set on the LAN interface itself.

Just a gateway entry under System > Routing on the gateway tab, and then the static routes for each subnet on the routes tab.

pmalecka

The default gateway I mentioned is for the LAN interface only (LAN Gateway-to be clear). I also have a WAN interface with its own default gateway, which is the real 0.0.0.0 global default..(so the global GW is of course on the WAN interface.) Then there is a management interface(vlan 10 tagged through LAN interface) with its own gateway, which is on the management vlan (this interface is the main management interface..)

So, the question about NAT Reflection stays.. Sorry for the misstatement, I've fixed it in the original post.

Thanks

Peter

jimp

You can only have one "default" gateway. I'm still a little confused there - do you have the gateway set on the LAN interface page under Interfaces > LAN? If so, take that off, you do not need it there. That will make the system believe it's a WAN.

pmalecka

Yep, I've got a gateway set on my LAN interface and on my MNG interface (management vlan interface).

Well, I wonder how this could have worked without breaking anything.

I have removed both the default GWs leaving only one interface-bound GW on the WAN.

Thanks for help!

Peter