Simple nat not working
-
dear pfsense users,
I'm going to replace my single soekris with dual wan running gentoo linux with 2 high available soekris (4801) running pfsense and 3 wan. I'll do nat and bridging.The boxes have 5 nics:
sis0 -> LAN sis1 -> VLAN1 = WAN sis1 -> VLAN2 = WAN2 sis1 -> VLAN3 = WAN3 sis2 -> SYNC with the other box sis3 -> DMZ natted sis4 -> DMZ bridgedI'm going to configure it in this way:
-
every ip (public and on lan) is handled by carp - in this way I loose 2 public ip for each wan
-
some ip are natted on a port basic
-
some ip are bridged (and filtered)
In this way I should be able to survive to 2 wan failures and to a firewall failure.
I was able to configure outbound balancing with a snapshot from 2 month ago, but I was unable to make nat/bridge work, so today I started a fresh 1.2 beta1 install and tried to configure just carp IPs and nat to isolate the problem.
I was unable to nat anything (I was able to make the firewall renspond to ping allowing icmp), do you have any idea?This is the relevant part of my conf (I'll post the rest tomorrow):
<interfaces><lan><if>sis0</if> <ipaddr>192.168.0.11</ipaddr> <subnet>24</subnet> <media><mediaopt><bandwidth>100</bandwidth> <bandwidthtype>Mb</bandwidthtype></mediaopt></media></lan> <wan><if>vlan0</if> <mtu><media><mediaopt><bandwidth>100</bandwidth> <bandwidthtype>Mb</bandwidthtype> <ipaddr>WAN1.70</ipaddr> <subnet>28</subnet> <gateway>WAN1.73</gateway> <spoofmac></spoofmac></mediaopt></media></mtu></wan> <opt1><descr>SYNC</descr> <if>sis2</if> <bridge><enable><ipaddr>10.0.5.1</ipaddr> <subnet>24</subnet> <gateway><spoofmac></spoofmac></gateway></enable></bridge></opt1> <opt2><descr>DMZ</descr> <if>sis3</if> <bridge><enable><ipaddr>10.0.3.1</ipaddr> <subnet>24</subnet> <gateway><spoofmac></spoofmac></gateway></enable></bridge></opt2> <opt3><descr>BRIDGE</descr> <if>sis4</if> <bridge><ipaddr><subnet>32</subnet> <gateway><spoofmac></spoofmac></gateway></ipaddr></bridge></opt3> <opt4><descr>WAN2</descr> <if>vlan1</if> <bridge><ipaddr>WAN2.54</ipaddr> <subnet>28</subnet> <gateway>WAN2.57</gateway> <spoofmac><mtu><enable></enable></mtu></spoofmac></bridge></opt4> <opt5><descr>WAN3</descr> <if>vlan2</if> <bridge><ipaddr>WAN3.45</ipaddr> <subnet>28</subnet> <gateway>WAN3.33</gateway> <spoofmac><mtu><enable></enable></mtu></spoofmac></bridge></opt5></interfaces>carp conf (just one)
<vip><mode>carp</mode> <interface>opt5</interface> <vhid>2</vhid> <advskew>0</advskew> <password>****</password> <descr>router WAN3</descr> <type>single</type> <subnet_bits>28</subnet_bits> <subnet>WAN3.38</subnet></vip>vlans
<vlans><vlan><if>sis1</if> <tag>50</tag> <descr>adsl telecom</descr></vlan> <vlan><if>sis1</if> <tag>60</tag> <descr>adsl eutelia</descr></vlan> <vlan><if>sis1</if> <tag>70</tag> <descr>wifi e4a</descr></vlan></vlans>many thanks
-
-
are all the interfaces you bridged up ???
if 1 is not up then the hole bridge is broken
and none of the other bridged interfaces that are well connected will work until the bridge is fixed -
I'm not using bridge, until now I just named the interface..