NAT 1:1



  • Hello.
    I have a problem like that, I should get out on the internet public addresses each host using the default gateway.
    example of my configuration:
    Wan 37.xxx.152.x
    Lan 37.xxx.159.x/24
    Virtually every host has to go out on the internet with the 37.xxx.159.xxx and not as currently coming out of all this with the default gateway of the WAN.
    Esite a solution and I can not find it, or not 'can do such a thing.

    Example:
    Host1 = 37.xxx.121.1
    Host2 = 37.xxx.121.2 and so on

    Thank you.



  • Well, it looks like you are running a routed solution and should not be using NAT at all. Remove all 1:1 NAT and then go into outbound NAT and switch to manual. Then remove any auto created rules except for localhost (127.0.0.1). That or you need to clarify what is private IPs and what is using public IPs.



  • Thank you.
    You do not need any NAT hosts must all come out with their public IP, I only use the Captive Portal server.
    I configured so 'my WAN cards xx.xxx.152.18/29
    LAN xx.xxx159.254/24, changed as you said, but I do not work the same, no host is on the internet.
    I was able to run like you said, changing the rules of Outbound, but the problem remains that the IP and 'always to the WAN card and the host.



  • did you setup any 1:1 NAT rules?



  • That 'what I did, but it goes right does not work






  • Why .. remove all 1:1 NAT and all rules except for 127.0.0.1 from outbound. You look to be running routed and not a NATed solution. With a routed solution, you don't need NAT at all, except for firewall local host. Is the ISP routing the IPs to you pfSense WAN interface address (or CARP interface if you are clustering)?



  • Thank you.
    Does not work.
    This is my situation: cisco router side, point-to-point ip 37.xxx.152.18/29 Gateway 37.xxx.152.17,  i put 4 more for other applications.
    Assigned IP 37.xxx.159.0/24.
    (I am the manager of the router so I can change something without problems).
    Side of pfSense: Ip Wan Wan 37.xxx.152.18 37.xxx.152.18 GTW.
    Pfsense lan side: here perhaps is the configuration error.
    I need to go out on the Internet with the subnet in my router, ie, 37.xxx.159.0/24, I do not care firevall but only the Captive Portal.



  • Do you actually own 37.xxx.159.0/24 that you are using? I am guessing that if you do, your ISP is sending it to your router or you have BGP, in either case, once it gets to that router send 37.xxx.159.0/24 to the WAN ip of pfsense which should be 37.xxx.152.18/32. pfsense will then take care of it with its internal routing and will pass so long as you have to rules to do so. It also seems like you gateway is the same gateway as your IP. this will not work. the gateway of pfsense needs to be that of the internal IP on the cisco router. Though on second look the WAN of pfsense and the WAN side of the cisco is in the same network. This means that there will be no routing going on. Should be something like:

    Internet (37.xxx.152.17/29) –> (37.xxx.152.18/29) Cisco (37.xxx.159.1/24) --> (37.xxx.159.2/24) pfsense (37.xxx.160.1/24) --> LAN

    This is how routing setup normally works.
    If you are only assigned the 37.xxx.159.0/24 that is being routed to 37.xxx.152.18, then you LAN on pfsense is going to have to be private (10.0.0.1/24) and you will utilize NAT.

    Please let us know what you have available to you.



  • If I understand I need to force a third class of IP address on the Cisco router.
    Currently I have this available:
    37.xxx.15.16/29 with GTW 37.xxx.152.17
    and always on the same interface cisco 37.xxx.159.0/24 GTW 37.xxx.159.1
    I do not have the ability to have 37.xxx.160.0/24 as you say in your message.
    The BGP I do IP addresses are mine.
    To better understand please make me an example of how to set the interface is WAN and LAN with the IP that you have described.
    Thank you.



  • okay … you have BGP then?
    In that case all IPs are your to route with correct?
    If that is the case then you can route 37.xxx.159.0/24 GTW 37.xxx.152.19 (pfsense WAN) on cisco.
    On pfsense WAN GTW is IP address of cisco (37.xxx.152.18?). I am still not clear as to what you have assigned where on the cisco.
    Then no NAT rules anywhere (no 1:1, or manual outbound (aside from 127.0.0.1).



  • Current configuration: the same port on the cisco are its subnet

    1. 37.xxx.152.16/29 IP 37.xxx.152.17.
    2. 37.xxx.159.0/24 IP 37.xxx.159.1.
      configuration Pfesense
      WAN IP 37.xxx.152.18 GTW 37.130.17 here on the internet works.
      LAN IP 37.xxx.159.1 the same GTW Cisco.
      Removed the Outbound. left only 127.0.0.1
      No nat 1:1 no roules only on the LAN Anti-Lockout Rule and Default allow LAN to any rule but does not work on the internet there you go in any way.
      The two GTW I tried them and they work fine with a PC
      Thank you.


  • I did more tests.
    I tested the two gateways on the WAN Pfesense and they work fine, I tested all IP class 37.xxx.159.0/24 and work without problems, I even tweak reversed GTW classes IP and everything works on the WAN Pfesense.
    PfSense configured, does not work anymore 'nothing remains functional only WAN, LAN nothing to do.
    I can not find the problem ..



  • I think you have a routing problem, but I am am still not sure on the setup of pfsense or cisco.

    What is the IP of LAN of pfsense? From your posts it looks like it is 37.000.159.1.. If you have a gateway set on the LAN IP, remove that as well. The only interface with a gateway should be WAN.

    Have you tried tracerouting from a system behind pfsense to see where it is breaking? Is the cisco only doing the bgp and routing, or is there any firewall rules setup?
    On the cisco, the route looks wrong. The 37.000.159.0/24 should be sent to 37.000.152.18 (WAN of pfSense). I am not sure what you have assigned in there, but the cisco cannot have an address in the 159 network or nothing will be routed to pfsense and you will have a broken route.

    So Basically,
    Cisco has an IP address of 152.17 … WAN on pfsense has an ip of 152.18 with the gateway of 152.17. LAN on pfsense has an ip of 159.1 without a gateway set.
    On the cisco, you are going to add a route sending 159.0/24 to 152.18.
    I am not sure how cisco is going to route to the internet as I am not that familiar with BGP. I am assuming that configuration is working on a completely different ip and subnet.



  • Ok.
    I did test by connecting a PC directly to the door and it all works in the sense cisco ip put any class 37.xxx159.x works and exits on the internet.
    I tried to leave the class 37.xxx.159.x on GTW 37.xxx152.17 and it works, so I do not see errors in cisco and then I know him more than I can 'have missed something but for carelessness. I do not think.
    To answer your question "Have you tried tracerouting from a system behind pfSense to see where it is breaking," I did the test and stops at GTW LAN 37.xxx.130.159.1.
    I think it's a problem that pfsense does not pass packets from LAN> WAN, for me it 's like this, but I can not find a way to configure it.



  • If you test from the WAN of pfense, it would be almost the same as hooking up a PC and testing. I think you are trying route within a subnet and that just doesn't work. Personally, I don't have enough information to really know for sure … perhaps you could diagram it.

    Try this.

    Set the WAN on pfsense to 37.xxx.159.2/25 GATEWAY 159.1 (the cisco). Then set LAN to 37.xxx.159.129/25 (WITHOUT A GATEWAY).

    In the Cisco route 37.xxx.159.128/25 to 37.xxx.159.2 (WAN on pfsense). Setup a computer behind pfsense and set the ip to 37.xxx.159.130 gateway of 37.xxx.159.129. Make sure just the default allow rules are there. Run connection tests to see what happens.



  • Hello and sorry for the delay but I was not home.
    Doing as you described in the last post, it works.
    The rest had already said before "Internet (37.xxx.152.17/29) –> (37.xxx.152.18/29) Cisco (37.xxx.159.1/24) --> (37.xxx.159.2/24) pfsense (37.xxx.160.1/24) --> LAN"
    I did not want to try because it seems an excessive consumption of IP addresses.
    I added a class of contiguous IP in BGP and now have available in output from pfSense 255 IP I can add I have no problems, but unfortunately you can use twice.
    Else but unfortunately the flip side, activating the proxy server returns to run the gateway Wan, sigh sigh.
    I hope to find a way to correct the problem and being able to do the same log files.
    An application is not possible to bridge the WAN to the LAN.



  • I agree that it is an excessive waste. The point was to prove that it works if you route correctly. You where not doing this.
    You can get a /30 added and use it the same way as the 159.1/25 … so for an example ...

    Internet (37.xxx.152.17/29) --> (37.xxx.152.18/29) Cisco (37.xxx.160.1/30) --> (37.xxx.160.2/30) pfsense (37.xxx.159.1/24) --> LAN
    Then you would route 37.xxxx.159.0/24 to 37.xxx.160.2. This would waste very little IPs.

    You can bridge WAN and LAN and you would not need to have another subnet. The configuration is more complex and uses more resources (IMHO). You can try it out to see if that is something that you can live with.



  • Thanks, yeah I tried to make it more 'short, but something went wrong.
    But now created another problem, that of the proxy server does not register more logs.
    Where can I see to do or try to make a bridge between LAN Ewan.
    Thank you for everything anyway ..



  • Do a search in these forums and find several good write ups on setting up bridges.
    I made it as short as I could … you could to the first subnet as a /30 but you would still need the second to be a /25 ... not that you could not make quite a few networks out of 159.1 - 128 ( the first /25 broken into multiple subnets and used for different things).


Locked