Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    NAT issue w/2 LANs connected via T1

    Scheduled Pinned Locked Moved NAT
    11 Posts 3 Posters 3.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V
      vegastech
      last edited by

      Hello, I've been trolling the NAT board here but can't seem to find a fix.

      LAN1
      192.168.33.1 = pfSense
      192.168.33.2 = Cisco 1760 #1, eth0
      192.168.44.1 = Cisco1760 #1, eth1

      LAN2
      192.168.22.2 = Cisco 1760 #2, eth0
      192.168.44.2 = Cisco1760 #2, eth1

      • I'm trying to send Internet traffic from both LANs out the pfSense router
      • the link 192.168.44.1 to 192.168.44.2 is a T1
      • the traffic is flowing between the LANs - there does seem to be a lag though, as if it trys a 'path1' then that fails/timeouts and 'path2' works
      • running pfSense 2.0.1
      • if I try a traceroute from the 192.168.22.x LAN it drops/dies at 192.168.44.1 - as if pfSense does not know how to send traffic back to the 192.168.22.x segment from the 192.168.33.x segment
      • I'm fairly sure this a basic setup issue, just not familiar enough with pfSense for proper setup
      1 Reply Last reply Reply Quote 0
      • P
        podilarius
        last edited by

        So if I am to understand this correctly, you are wanting to somehow route on 2 separate interface on the same subnet? This is not possible. Those you are not really firewalling here are you?
        Or perhaps you are not explaining the setup clearly enough.

        If it is a NAT issue, then since you have multiple networks, you are going to have to use manual outbound NAT and also rule(s) on the LAN interface to allow that traffic. The manual outbound NAT needs to be setup so that each subnet uses either a VIP or the WAN address.

        You will also have to setup reverse routes in pfsense so it know how to route the returning traffic.

        1 Reply Last reply Reply Quote 0
        • G
          gofast
          last edited by

          Hi everyone,

          Thanks for the comments. I can accept that the source port is randomized on outgoing packets and the replies back have a src AND dest port of 5060 means that basic nat won't work. What I can't understand is that there is no rule I can put in place to forward the replies to my pabx. My port forward rule of dest port=5060 should forward all udp packets regardless of source port shouldn't it? The rule says src port * src addr * dest port 5060 forward to pabx. It seems to be ignored. Can someone explain to me why this isn't happening?

          Regards,
          Tony

          1 Reply Last reply Reply Quote 0
          • P
            podilarius
            last edited by

            @gofast:

            Hi everyone,

            Thanks for the comments. I can accept that the source port is randomized on outgoing packets and the replies back have a src AND dest port of 5060 means that basic nat won't work. What I can't understand is that there is no rule I can put in place to forward the replies to my pabx. My port forward rule of dest port=5060 should forward all udp packets regardless of source port shouldn't it? The rule says src port * src addr * dest port 5060 forward to pabx. It seems to be ignored. Can someone explain to me why this isn't happening?

            Regards,
            Tony

            I think you posted to the wrong case.

            1 Reply Last reply Reply Quote 0
            • V
              vegastech
              last edited by

              To be more clear:

              LAN1
              192.168.33.1 = pfSense >> default gateway out to the Internet
              192.168.33.2 = Cisco 1760 #1, eth0 >> catches all local traffic and either a) routes it to the remote site or b) sends it off to the default gateway
              192.168.44.1 = Cisco1760 #1, eth1

              1 Reply Last reply Reply Quote 0
              • P
                podilarius
                last edited by

                Okay, so you just need a route in pfsense that states that anything going to 192.168.44.0/24 goes to the 192.168.33.2 gateway. Then you are going to need a rule that allows that traffic and a NAT rule to transform Internet destined traffic into a VIP or WAN address.

                1 Reply Last reply Reply Quote 0
                • V
                  vegastech
                  last edited by

                  So if I setup manual NAT it should look like this - correct? Part of the noob-ness here is that I'm not sure if I need to route the 192.168.44.0/24 traffic with a NAT rule.

                  NAT1.png
                  NAT1.png_thumb

                  1 Reply Last reply Reply Quote 0
                  • V
                    vegastech
                    last edited by

                    Here's what I have now, just added the last line '192.168.44.0/24 >>> 192.168.33.2'

                    NAT3.png
                    NAT3.png_thumb

                    1 Reply Last reply Reply Quote 0
                    • P
                      podilarius
                      last edited by

                      Yes, you need to add one for the 192.168.44.0/24 and also 127.0.0.1/32 (so pfsense itself can use the internet for updates and some services). If you switch to auto, save and then switch back to manual, MAYBE the default rules will come back and you can just ADD the 192.168.44.0/24 on the chain. or perhaps not, in which case we can help you out with those.

                      1 Reply Last reply Reply Quote 0
                      • V
                        vegastech
                        last edited by

                        Great, I can now traceroute from the far side to the local side and out pfSense. Thanks Podilarius!

                        Here's my setup, do you see any cleaning up that needs to be done (i.e. extra routes/rules/NAT not needed)?

                        nat5.png
                        nat5.png_thumb
                        nat6.png
                        nat6.png_thumb
                        nat7.png
                        nat7.png_thumb
                        nat8.png
                        nat8.png_thumb

                        1 Reply Last reply Reply Quote 0
                        • P
                          podilarius
                          last edited by

                          On the wan rules you don't need the 192.168.22 or 44/24 listed there. according to the diagram, those networks should not be on that side of the FW. plus the wan rule to block private ips above ensures that it will be blocked anyway.

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.