Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Wrong outgoing IP on multiple WAN/Public IP routing setup

    Routing and Multi WAN
    3
    5
    4096
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      Jeroen last edited by

      I have a PFSense setup with 4 nics (3 used).

      NIC1 = WAN
      NIC2 = LAN
      NIC3 = OPT

      WAN to LAN used only for management and vpn.

      WAN to OPT is used to route public ips to and from servers behind the firewall without using NAT.
      Incoming this is working ok. Multiple public ip's are set as alliases or virtual ips.
      The server(s) behind the PFsense are all configured with a public ip and are reachable from the outside on ports opened on PFSense.
      The gateway on the servers is configured as the network gateway and not the ip of the pfsense.
      WAN to OPT is a routing firewall.

      As said, incomming this is working ok.
      Outgoing, strangely, each server is using the PFsense WAN ip as public ip.
      So anything statefull is not working.

      Below is the ip usage/setup (example is correct, only with public ip's instead of the privates used in the example).

      172.16.0.1 is the networks router

      172.16.0.10 to 172.16.0.25 are the ip's i can use.

      PFsense WAN IP is 172.16.0.10

      So a server with IP 172.16.0.14 behind the OPT interface, with subnet 255.255.255.0, a gateway set to 172.16.0.1 (networks router) and dns to 172.16.0.10 (pfsense).
      If lets so i open port 3389 i can rdp to the server on the public ip from outside the network.
      However, when i go to a site like whatsmyip from the server with 172.16.0.14 it says the ip is 172.16.0.10 (pfsense ip).
      So it's not fully transparent

      Again, irl this is done with public ips. The last octet does correspond with the real situation.

      Anyone a clue on what i'm missing, doing wrong or else?

      Any help appriciated

      1 Reply Last reply Reply Quote 0
      • M
        Metu69salemi last edited by

        Do you still run Automatic outbound NAT? If so, you need to change it to Manual Outbound Nat + create corresponding settings over there
        Another one would be 1:1 NAT if you use internal ip-subnet on server "lan"

        1 Reply Last reply Reply Quote 0
        • J
          Jeroen last edited by

          Thank you for the quick reply.

          Firewall:outbound:NAT is set to Manual Outbound NAT rule generation (AON - Advanced Outbound NAT)

          There is a mapping on the outband NAT like (again with example ip) :

          Interface | Source            | Source Port | Destination | Destination Port | NAT Address | NAT Port | Static Port
          WAN      | 172.16.0.0/24 | *                | *              | *                      | *                | *            | NO

          1 Reply Last reply Reply Quote 0
          • M
            Metu69salemi last edited by

            If I read this rule correctly at this point of day (20hrs up), it means, that your server lan is included to be NATted to PfSense ip

            1 Reply Last reply Reply Quote 0
            • M
              marvosa last edited by

              As Metu69salemi said, your firewall rule is NATing your public IP block out your WAN interface.  Change the Source to your LAN subnet.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post