How to NAT in a fully routed configuration?



  • Hi Guys,

    I have a fully routed pfsense setup with Carp and a bunch of web servers all using public IPs behind pfsense on their own routed subnet.

    I have a need to allow some servers behind pfsense to use NAT to get on the internet, for example, my SANs and NFS servers need to have an internet connection to send me status alerts and performance statistics but i do not want these servers to have public IPs, strictly private IPs on an isolated subnet. This subnet has a connection to Pfsense on Opt3 using the ip range 10.10.10.X but I am completely stumped as to how to allow this subnet access to the internet when the rest of the firewall is configured as fully routed.

    I have tried AON and creating rules etc. but nothing works. Is what im trying to do actually possible? If so, can someone help me?

    Cheers.



  • You are in the right place with the AON. I think perhaps your rule is not setup correctly. Lets cover the basics first:

    What version are you running?
    In the firewall rules for OPT3, do you have a default allow rule?
    In AON, the rule should be close to the following:

    Interface: WAN
    Source: 10.10.10.0/24
    Source port: *
    Destination: *
    DPORT: *
    NAT Address: *
    NAT port: *
    Static Port: no

    *=any



  • Well that sorted it for me :-)

    Turns out the translation address was the key. Setting it to Any solved the problem.

    Thanks a mil.



  • The "any" setting on there for translation address doesn't actually do anything right now; it currently has the same value as the "interface address" item in the list.  If you edit the rule, you will probably see it go to interface address instead of any.  I'm not sure if an "any" option even makes sense, but if it should mean something, it will need to be defined somewhere in the code for handling outbound NAT rules.



  • That is very true Efonne. But that is only on the summary page, in the rule setup page, it is interface address. Perhaps that could be reflected on the summary page as well.



  • Are you sure the Any option doesnt do anything? I just changed it baclk to Interface Address and ive lost the ability to browse the net from this subnet until i change it back to Any.
    My system was upgraded from several 2.0 beta versions so maybe something is broken in my install?



  • Well, I haven't confirmed that wasn't changed for any 2.0.x version, I only checked the latest development version.

    EDIT:
    Same for 2.0.x.  I don't really know what is going on; in firewall_nat_out_edit.php it should not be able to know the difference between "interface address" and "any" for the translation address, because in the current state of the code the HTML will always have those two fields set to the same value.  I've even tested it and the configuration comes out the same.

    If you select "any" for translation address and save the rule, is it still selected if you edit it?  If so, either you must have a modified version or we aren't talking about the same page.


Locked