Dual NAT requriement - suggestions on implementation



  • All,

    First post here - am searching through the forum for a similar thread, so apologies if someone has already responded to a similar query.

    Have been looking to configure pfsense in a dual NAT environment, but no luck. Here's my network configuration:

    Internet -> Router (DHCP, 192.168.1.0/24) -> Windows 8 laptop (IP address assigned by DCHP in the 192.168.1.x space).

    On the laptop, I have vmware and run a host only network (10.158.11.0/24) that have a variety of virtual machines running. So far, I have been using VMware's in built DHCP service to assign IP addresses to these VM's.

    Now I want to route all traffic on this network through a pfsense VM out to the internet like below:

    Internet - Router (DHCP, 192.168.1.0/24) - WAN(192.168.1.x assigned by the router) pfsense LAN (10.158.1.1, Pfsense as the DHCP server) - windows xp vm (10.158.11.2)

    I tried un-checking the option which disables a WAN address in the private space, but I'm simply not able to route any traffic out to the internet. Any thoughts / Suggestions?

    Don't have access to my laptop now, hence not able to post screen shots of the configuration pages. If you have any questions, please ask - I'll keep checking in from time to time.

    thanks.



  • am not sure if i clear understand your config - but - host only Network on Vmware means "host only" - like an internal network - no packets out.
    bridge your vms Networkcards out to the wire, let the pfsense do dhcp or give the vms itselfe the adress you want.
    If you bring no paket out of the vms that is nothing happen to pfsense.



  • There is a few things to do.

    [vmlan] => Lan => Internet

    1. Check that your vmlan has working dns addresses in use. If you don't have working dns, no Internet!
    2. Check your routing in pfsense - it should have your router as default gateway - this should be ok by using dhcp but… - no gateway, no Internet
    3. Check firewall rule from vmlan that allows to pass traffic to any network. Should have Default allow LAN to any rule in your pfSense vmlan interface - no rule, no Internet
    4. Check that your router has no firewall rules witch blogs other private networks to pass to Internet, now you 19.168.1.0/24 network is ok, but how about your vmlan network 10.158.11.0/24 ?
    5. Uncheck Block private networks in your wmlan interface and wan.
    6. Check that your virtual machines gets those settings via dhcp (ip & dns) Do traceroute to check routing. See firewall logs!

    thats it - should work.



  • @peterpf:

    am not sure if i clear understand your config - but - host only Network on Vmware means "host only" - like an internal network - no packets out.
    bridge your vms Networkcards out to the wire, let the pfsense do dhcp or give the vms itselfe the adress you want.
    If you bring no paket out of the vms that is nothing happen to pfsense.

    @peterpf - I understand that a host only / private network will not bring out packets on to the physical side - In fact this is the setup I'm aiming at. I'm looking at pfsense to perform the bridging between the virtual and physical networks.

    @Clouseau:

    There is a few things to do.

    [vmlan] => Lan => Internet

    1. Check that your vmlan has working dns addresses in use. If you don't have working dns, no Internet!
    2. Check your routing in pfsense - it should have your router as default gateway - this should be ok by using dhcp but… - no gateway, no Internet
    3. Check firewall rule from vmlan that allows to pass traffic to any network. Should have Default allow LAN to any rule in your pfSense vmlan interface - no rule, no Internet
    4. Check that your router has no firewall rules witch blogs other private networks to pass to Internet, now you 19.168.1.0/24 network is ok, but how about your vmlan network 10.158.11.0/24 ?
    5. Uncheck Block private networks in your wmlan interface and wan.
    6. Check that your virtual machines gets those settings via dhcp (ip & dns) Do traceroute to check routing. See firewall logs!

    thats it - should work.

    Inspector Clouseau (:D)

    I haven't gotten around to configuring the firewall rules yet. Will have to do that a little later on. So, your first, third and sixth points are connected to stages I haven't started yet.

    Only issue I'm facing now is with the WAN interface. I have unchecked the setting for allowing private WAN addresses (point #5) and the router is set as the default gateway (when WAN is assigned a static IP) (Point 2)

    Confirmed that there are no firewall rules (at the router) which blocks other private IP addresses (point 4) - essentially, all the 10.158.11.0/24 addresses get NAT'ed by pfsense into a single 192.168.1.0/32 address.

    All is fine on the LAN side - VM's  are able to communicate between each other without issues.



  • @peterpf:

    am not sure if i clear understand your config - but - host only Network on Vmware means "host only" - like an internal network - no packets out.
    bridge your vms Networkcards out to the wire, let the pfsense do dhcp or give the vms itselfe the adress you want.
    If you bring no paket out of the vms that is nothing happen to pfsense.

    This is the easiest way to do it, and almost the proper way to do it really.


Log in to reply