2 pfsense, NAT question



  • Hi there,

    i have problems with setting up 2 pfsense machines, both Version 2.0.1, in an DMZ.
    As you can see in the picture:

    on 10.19.64.4 i have activated  Automatic outbound NAT rule generation and can reach the internet, when going directly to my outside Router.

    If I go through the 2nd pfsense on 10.19.64.5, there is no way out to reach the internet.
    the GW on 10.19.64.4(WAN) is configured with 10.19.64.5

    How do i have to configure this that all functions that way it is on the picture? is double NATing even possible?

    Plz help me out

    gz

    ![Netzwerk Forum.jpg](/public/imported_attachments/1/Netzwerk Forum.jpg)
    ![Netzwerk Forum.jpg_thumb](/public/imported_attachments/1/Netzwerk Forum.jpg_thumb)



  • Double NAT is possible but not recommended. There is an option on the WAN interface setup to block private IPs. This is on by default and you should turn it off.
    Second, please include your subnet CIDR or mask. I don't think you have them in the same network, but just need to verify that.

    So I am going to call the pfsense FW with LAN address of 10.19.65.5, pfsense 1, since it is the outer FW.
    The other I am going to call pfsense 2.
    pfsense 1 should have the default gateway of your ISP router and only on the WAN. There should not be a LAN gateway set.
    pfsense 2 should have 10.19.65.5 set as the default gateway on its WAN. There should not be a LAN gateway set.
    All devices directly behind pfsense 1 should have 10.19.65.5 set as the gateway for its interface.
    All devices directly behind pfsense 2 should have 10.11.1.252 set as the gateway for its interface.

    I also notice that you have VLAN behind pfsense 2. You are going to have to account for those subnets. Do you have multiple VLANs setup on pfsense 2 or is that routerprim handling vlan traffic? If so then each vlan will use the proper IP address setup in the routerprim as its gateway and the routerprim will have its default gateway set to 10.11.1.252.
    pfsense will need to allow these IPs to pass. The default LAN rule will block all but LAN subnet. I think you would also need to switch to advanced outbound NAT on pfsense 2 so that you can create rules for each individual vlan subnet to NAT with. You are also going to have to create routes in pfsense 2 to route the VLANs traffic back to the routerprim device.

    Without further details, I have had to speculate and just cover the basics. Feel free to elaborate.



  • thx for your fast reply, podilarius

    i should say that the configuration is in build-up. Means pfsense 2 is productive, pfsense 1 not yet.

    in the meantime, i read a bit further about double NAT, and i think i dont want it anymore ;)
    Sure, on firewall 1 i do the NAT, but not on firewall 2.
    so what do you think is the better solution?

    The option "block private IPs" is set properly at all the assigning interfaces.

    pfsense 1 has the gateway of my isp set on WAN. LAN gw was set because else i couldnt reach pfsense1 from VLAN10, also the route 10.10.0.0/16 was set on pfsense1. Now removed!
    pfsense 2 has the gateway set as 10.19.64.5 on WAN.  LAN gateway is set and the routes for 10.10.0.0/16, 10.110.0.0/16, 10.150.0.0/16 are entered here. (cannot remove this during worktime)

    You are right, routerprim is handling the VLAN -Traffic, set his default gateway to 10.11.1.252

    what i am supposed to do?!

    remove the LAN gateway on pfsense 2 and switch to "advanced outbound NAT" and create Rules for the VLANs!?

    thx in advance



  • I guess I am confused. do you have pfsense 1 on line and working right now?
    LAN should not have a gateway set except in special cases (which I have never run across). If you are doing a double NAT, then you should not have any static routes on pfsense 1. Nor a GW on LAN.
    If all you want is a DMZ, you can do that with another VLAN or interface card off the existing pfsense FW. That would be preferable way to do it (IMO). But I can also see the case for a double NAT if your existing pfsense fw is overloaded.
    So any way, on pfsense 2, WAN is good. LAN should not have a default gateway. But you will need to set static routes to make sure all VLAN traffic gets back to the routerprim.

    Now, if you are going to do a routed solution instead, which is preferrable, then you need to change it up a bit.
    On pfsense 1, you might be able to use autonat, but I am more controlling and prefer the manual NAT so that I know what is passing through NAT and what is not. To continue, WAN has a GW of the ISP (repetitive I know, but …). LAN has no gateway. Default LAN rule will need to either include any to any or all your VLAN subnet to any destination (or as restrictive as you like, but must include all subnets behind it and pfsense 2). You are then going to create routes for each VLAN subnet and LAN subnet behind pfsense 2 and use the gateway of pfsense 2 WAN address (10.19.64.4). You can then create rules as you like for inbound traffic.

    On pfsense 2, WAN has the gateway of pfsense 1 LAN (10.19.64.5). LAN will not have a default gateway set. You will need to create a static route for each VLAN behind routerprim and set the gateway to the routerprim WAN (or the IP in the 10.11.0.0/16 network). I would start with an any to any rule on LAN and WAN until you make sure all is working correctly, then go in and restrict access as needed.

    Hopefully it is not to confusing. (It is not in my head ;) )



  • it gets clearer for me now, but

    @podilarius:

    To continue, WAN has a GW of the ISP (repetitive I know, but …). LAN has no gateway. Default LAN rule will need to either include any to any or all your VLAN subnet to any destination (or as restrictive as you like, but must include all subnets behind it and pfsense 2). You are then going to create routes for each VLAN subnet and LAN subnet behind pfsense 2 and use the gateway of pfsense 2 WAN address (10.19.64.4). You can then create rules as you like for inbound traffic.

    ??

    i have to create a gateway for LAN in pfsense 1 to create the routes for the VLAN subnet.
    if i dont create the gateway, i can not choose the gateway from the dropdown menu for the static routes??

    am i missing something??

    cheers



  • Yes, a misunderstanding since I probably didn't explain where I was referring to. Like WAN setup page, the LAN interface setup page has a place where you can enter a default gateway. You do not want to do this. That is what I am referring to and not in the route setup. In the routing setup, you do have to create a gateway so that you can setup the routes properly.



  • finally i think i did get it with your help!

    Thank you podilarius

    I will report back here when all is online and running.

    There is already another question opening about http-redirect, that i will post in a new thread. Maybe you have answers for this too  ;D

    cheers


Locked