Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Virtual IP alias as gateway for a subnet

    General pfSense Questions
    3
    26
    8825
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mmerlone last edited by

      Greetings,

      Plain simple question: can a virtual IP alias for the lan interface, ina differente subnet, be used as gateway for its subnet? Sure, firewall rules. Any other step to make it work?

      Regards.

      1 Reply Last reply Reply Quote 0
      • marcelloc
        marcelloc last edited by

        In theory yes.

        1 Reply Last reply Reply Quote 0
        • jimp
          jimp Rebel Alliance Developer Netgate last edited by

          Yes, the only considerations you'd have would be:

          • Add the IP Alias VIP to the firewall (Make sure to use the correct subnet mask)
          • Adjust your firewall rules to pass traffic from a source of the second subnet
          • If you are on manual outbound NAT, make sure your outbound NAT rules cover a source of the new subnet
          1 Reply Last reply Reply Quote 0
          • M
            mmerlone last edited by

            So, I just wiped out the discs and started over with a clean config. This time did not hit the bug where install hangs on 38% of /usr (it is a Dell Poweredge 860, SAS5/i mirror on SATA discs). Nice…

            @jimp:

            • Add the IP Alias VIP to the firewall (Make sure to use the correct subnet mask)

            Done.

            @jimp:

            • Adjust your firewall rules to pass traffic from a source of the second subnet

            Done. Also made a top rule on each interface plus a floating one to allow ICMP in any direction.

            @jimp:

            • If you are on manual outbound NAT, make sure your outbound NAT rules cover a source of the new subnet

            Did not touch this, Outbound NAT is automatic. All config defaults.

            Result:
            1. pfsense is able to ping 8.8.8.8.
            2. A client machine on 10.0.0.0/24 segment IS able to ping another on 192.168.0.0/24, so routing is working.
            3. A client machine on 10.0.0.0/24 segment is NOT able to ping 8.8.8.8.
            4. A client machine on 192.168.0.0/24 (my workstation) segment is NOT able to ping 8.8.8.8.

            Both 10.0.0.0/24 and 192.168.0.0/24 are on the same ethernet bus and broadcast domain, does it matter?
            I have reset states table (Diagnostics -> States -> Reset states), no luck in any box.

            What next?

            1 Reply Last reply Reply Quote 0
            • jimp
              jimp Rebel Alliance Developer Netgate last edited by

              Shouldn't matter, so long as the WAN interface has a gateway selected, which indicates to the system that it needs to NAT out on there, it should work with automatic outbound NAT.

              I suspect if you check the state table for 8.8.8.8 you'll see that NAT isn't being applied. Normally with NAT being applied you'd see two states, one in, one out, and one of them has three IPs: client -> external -> target and target -> client. If no NAT is being applied, the middle IP doesn't show up.

              1 Reply Last reply Reply Quote 0
              • M
                mmerlone last edited by

                @jimp:

                I suspect if you check the state table for 8.8.8.8 you'll see that NAT isn't being applied. Normally with NAT being applied you'd see two states, one in, one out, and one of them has three IPs: client -> external -> target and target -> client. If no NAT is being applied, the middle IP doesn't show up.

                Indeed, filtering state tables for 8.8.8.8 returns nothing. Also tried to check www.whatismyip.com. from that box, and got the attached states, but yet no luck accessing the address. Checked firewall rules and it should allow anything from 10.0.0.0/24 to access everything.


                1 Reply Last reply Reply Quote 0
                • M
                  mmerlone last edited by

                  Some packet capture on WAN interface of pfsense:

                  15:34:21.369931 IP 10.0.0.8 > 8.8.8.8: ICMP echo request, id 512, seq 61191, length 40
                  15:34:26.870028 IP 10.0.0.8 > 8.8.8.8: ICMP echo request, id 512, seq 61447, length 40
                  15:34:32.370169 IP 10.0.0.8 > 8.8.8.8: ICMP echo request, id 512, seq 61703, length 40
                  15:34:33.106802 IP 10.0.0.8.138 > 10.0.0.255.138: UDP, length 201
                  15:34:33.106811 IP 10.0.0.8.138 > 10.0.0.255.138: UDP, length 201
                  15:34:37.870094 IP 10.0.0.8 > 8.8.8.8: ICMP echo request, id 512, seq 61959, length 40
                  15:34:43.370047 IP 10.0.0.8 > 8.8.8.8: ICMP echo request, id 512, seq 62215, length 40
                  15:34:48.870229 IP 10.0.0.8 > 8.8.8.8: ICMP echo request, id 512, seq 62471, length 40
                  15:34:54.370440 IP 10.0.0.8 > 8.8.8.8: ICMP echo request, id 512, seq 62727, length 40
                  15:34:59.870426 IP 10.0.0.8 > 8.8.8.8: ICMP echo request, id 512, seq 62983, length 40
                  
                  1 Reply Last reply Reply Quote 0
                  • jimp
                    jimp Rebel Alliance Developer Netgate last edited by

                    If you are seeing that capture on the WAN interface, then NAT isn't happening.

                    Make sure the gateway is selected on the WAN interface
                    Make sure outbound NAT is set to automatic
                    Then reset the state table again

                    If it still doesn't work, switch to manual outbound NAT and make your own rules.

                    1 Reply Last reply Reply Quote 0
                    • M
                      mmerlone last edited by

                      @jimp:

                      If you are seeing that capture on the WAN interface, then NAT isn't happening.

                      Good to learn.

                      @jimp:

                      Make sure the gateway is selected on the WAN interface
                      Make sure outbound NAT is set to automatic
                      Then reset the state table again

                      All done.

                      @jimp:

                      If it still doesn't work, ….

                      Still doesn't work. Why is that? Could some other advanced option interfere? As I said at first, I did not mess anything, started over with default config. Is there any option other than automatic outbound NAT to check?

                      @jimp:

                      … switch to manual outbound NAT and make your own rules.

                      Can you point me some RTFM or assist me? The attached setup did not work, also tried a few variations.

                      Side info: I also have a NAT'ed ADSL interface, but no matter which gateway I set as default (WAN or ADSL) the problem persists. No interface has the option to block bogon networks checked.


                      1 Reply Last reply Reply Quote 0
                      • jimp
                        jimp Rebel Alliance Developer Netgate last edited by

                        You didn't disable the firewall under System > Advanced, did you? (That would also disable the ability to do NAT…)

                        Switch back to automatic outbound NAT, save/apply, and then get a copy of /tmp/rules.debug and copy/paste it here.

                        The NAT rule you had looked right, that should have been working from what I could see.

                        1 Reply Last reply Reply Quote 0
                        • M
                          mmerlone last edited by

                          @jimp:

                          You didn't disable the firewall under System > Advanced, did you? (That would also disable the ability to do NAT…)

                          Nope.

                          @jimp:

                          Switch back to automatic outbound NAT, save/apply, and then get a copy of /tmp/rules.debug and copy/paste it here.

                          #System aliases
                          
                          loopback = "{ lo0 }"
                          WAN = "{ xl0 }"
                          LAN = "{ bge1 }"
                          ADSL = "{ bge0 }"
                          
                          #SSH Lockout Table
                          table <sshlockout>persist
                          table <webconfiguratorlockout>persist
                          #Snort tables
                          table <snort2c>table <virusprot># User Aliases 
                          table <lanvisitantes>{   10.0.0.0/24 } 
                          LanVisitantes = "<lanvisitantes>"
                          
                          # Gateways
                          GWGWADSL = " route-to ( bge0 192.168.1.100 ) "
                          GWGWWAN = " route-to ( xl0 x.x.x.153 ) "
                          GWGWLANNS100 = " route-to ( bge1 192.168.0.254 ) "
                          GWGWLANRV042 = " route-to ( bge1 192.168.0.251 ) "
                          GWGW_Group = "  route-to { ( bge0 192.168.1.100 )  }  "
                          
                          set loginterface bge1
                          set optimization normal
                          set limit states 96000
                          set limit src-nodes 96000
                          
                          set skip on pfsync0
                          
                          scrub in on $WAN all    fragment reassemble
                          scrub in on $LAN all    fragment reassemble
                          scrub in on $ADSL all    fragment reassemble
                          
                          no nat proto carp
                          no rdr proto carp
                          nat-anchor "natearly/*"
                          nat-anchor "natrules/*"
                          
                          # Outbound NAT rules
                          
                          # Subnets to NAT 
                          
                          # Load balancing anchor
                          rdr-anchor "relayd/*"
                          # TFTP proxy
                          rdr-anchor "tftp-proxy/*"
                          table <negate_networks>{ x.x.x.152/29 192.168.0.0/24 192.168.1.0/24 }
                          # UPnPd rdr anchor
                          rdr-anchor "miniupnpd"
                          
                          anchor "relayd/*"
                          #---------------------------------------------------------------------------
                          # default deny rules
                          #---------------------------------------------------------------------------
                          block in log all label "Default deny rule"
                          block out log all label "Default deny rule"
                          
                          # We use the mighty pf, we cannot be fooled.
                          block quick proto { tcp, udp } from any port = 0 to any
                          block quick proto { tcp, udp } from any to any port = 0
                          
                          # Block all IPv6
                          block in quick inet6 all
                          block out quick inet6 all
                          
                          # Snort package
                          block quick from <snort2c>to any label "Block snort2c hosts"
                          block quick from any to <snort2c>label "Block snort2c hosts"
                          block in log quick proto carp from (self) to any
                          pass quick proto carp
                          pass quick proto pfsync
                          
                          # SSH lockout
                          block in log quick proto tcp from <sshlockout>to any port 22 label "sshlockout"
                          
                          # webConfigurator lockout
                          block in log quick proto tcp from <webconfiguratorlockout>to any port 80 label "webConfiguratorlockout"
                          block in quick from <virusprot>to any label "virusprot overload table"
                          antispoof for xl0
                          antispoof for bge1
                          antispoof for bge0
                          
                          # loopback
                          pass in on $loopback all label "pass loopback"
                          pass out on $loopback all label "pass loopback"
                          # let out anything from the firewall host itself and decrypted IPsec traffic
                          pass out all keep state allow-opts label "let out anything from firewall host itself"
                          pass out route-to ( xl0 x.x.x.153 ) from x.x.x.154 to !x.x.x.152/29 keep state allow-opts label "let out anything from firewall host itself"
                          pass out route-to ( bge1 192.168.0.254 ) from 192.168.0.252 to !192.168.0.0/24 keep state allow-opts label "let out anything from firewall host itself"
                          pass out route-to ( bge0 192.168.1.100 ) from 192.168.1.101 to !192.168.1.0/24 keep state allow-opts label "let out anything from firewall host itself"
                          # make sure the user cannot lock himself out of the webConfigurator or SSH
                          pass in quick on bge1 proto tcp from any to (bge1) port { 80 22 } keep state label "anti-lockout rule"
                          
                          # User-defined rules follow
                          
                          anchor "userrules/*"
                          pass  on {  xl0  bge1  bge0  }  inet proto icmp  from any to any keep state  label "USER_RULE"
                          pass  in  quick  on $WAN reply-to ( xl0 x.x.x.153 )  inet proto icmp  from any to any keep state  label "USER_RULE"
                          pass  in  quick  on $LAN reply-to ( bge1 192.168.0.254 )  inet proto icmp  from any to any keep state  label "USER_RULE"
                          pass  in  quick  on $LAN reply-to ( bge1 192.168.0.254 )  from 192.168.0.0/24 to any keep state  label "USER_RULE: Default allow LAN to any rule"
                          pass  in  quick  on $LAN reply-to ( bge1 192.168.0.254 )  from   $LanVisitantes to any keep state  label "USER_RULE"
                          pass  in  quick  on $LAN reply-to ( bge1 192.168.0.254 )  from any to   $LanVisitantes keep state  label "USER_RULE"
                          pass  in  quick  on $ADSL reply-to ( bge0 192.168.1.100 )  inet proto icmp  from any to any keep state  label "USER_RULE"
                          
                          # VPN Rules
                          anchor "tftp-proxy/*"</virusprot></webconfiguratorlockout></sshlockout></snort2c></snort2c></negate_networks></lanvisitantes></lanvisitantes></virusprot></snort2c></webconfiguratorlockout></sshlockout> 
                          

                          @jimp:

                          The NAT rule you had looked right, that should have been working from what I could see.

                          Oh, God. I'll leave on vacation in 54 minutes anyway. :) Would be so happy if I could make it work this year….

                          1 Reply Last reply Reply Quote 0
                          • jimp
                            jimp Rebel Alliance Developer Netgate last edited by

                            Hmm there are no NAT rules in that file at all.

                            The only way that can happen on Automatic Outbound NAT is if the firewall doesn't know there is a WAN, meaning Interfaces > WAN has no gateway selected from the drop-down on that page.

                            1 Reply Last reply Reply Quote 0
                            • M
                              mmerlone last edited by

                              @jimp:

                              The only way that can happen on Automatic Outbound NAT is if the firewall doesn't know there is a WAN, meaning Interfaces > WAN has no gateway selected from the drop-down on that page.

                              Seems there is another way…. see attached WAN does have a gateway selected.


                              1 Reply Last reply Reply Quote 0
                              • jimp
                                jimp Rebel Alliance Developer Netgate last edited by

                                Ah, well there is one more I forgot - if the LAN interface does have a gateway set, it would think that the LAN is a WAN so it wouldn't do NAT.

                                You don't need nor want to have a gateway set on the LAN interface, and if you have a gateway defined that is actually your LAN IP, remove it.

                                1 Reply Last reply Reply Quote 0
                                • M
                                  mmerlone last edited by

                                  @jimp:

                                  Ah, well there is one more I forgot - if the LAN interface does have a gateway set, it would think that the LAN is a WAN so it wouldn't do NAT.

                                  Makes total sense, it did have a gateway set.

                                  @jimp:

                                  You don't need nor want to have a gateway set on the LAN interface, and if you have a gateway defined that is actually your LAN IP, remove it.

                                  Sure, sure. Selected 'none' as gateway for LAN interface, reset states, rebooted pfsense and …. (still rebooting) .... nope! No luck, no echo reply from 8.8.8.8 to 10.0.0.8. Partial success though: my workstation on 192.168.0.0/24 does ping 8.8.8.8 and am using it now to post to the forum :)

                                  What the heck! Let me reboot 10.0.0.8 and see what happens, it is a Win XP anyway and my workstation is linux. Rebooted and no luck yet. Dont' forget 10.0.0.8 uses 10.0.0.5 as default gateway, which is a VIP Alias on pfsense.

                                  States and packet capture on WAN interface attached.

                                  
                                  16:34:10.530106 IP 10.0.0.8 > 8.8.8.8: ICMP echo request, id 512, seq 9216, length 40
                                  16:34:16.030458 IP 10.0.0.8 > 8.8.8.8: ICMP echo request, id 512, seq 9472, length 40
                                  16:34:21.532543 IP 10.0.0.8 > 8.8.8.8: ICMP echo request, id 512, seq 9728, length 40
                                  
                                  


                                  1 Reply Last reply Reply Quote 0
                                  • M
                                    mmerlone last edited by

                                    Forgot to mention: also deselected a gateway for ADSL interface, just to be sure.

                                    1 Reply Last reply Reply Quote 0
                                    • jimp
                                      jimp Rebel Alliance Developer Netgate last edited by

                                      So it's still not getting NAT, do you see nat rules in /tmp/rules.debug now?

                                      1 Reply Last reply Reply Quote 0
                                      • jimp
                                        jimp Rebel Alliance Developer Netgate last edited by

                                        @mmerlone:

                                        Forgot to mention: also deselected a gateway for ADSL interface, just to be sure.

                                        Why?

                                        WANs must have a gateway set.
                                        LANs must not have a gateway set.

                                        Otherwise automatic outbound NAT will not work.

                                        1 Reply Last reply Reply Quote 0
                                        • M
                                          mmerlone last edited by

                                          @jimp:

                                          So it's still not getting NAT, do you see nat rules in /tmp/rules.debug now?

                                          Not yet (oops, regarding 10.0.0.0/24):

                                          #System aliases
                                          
                                          loopback = "{ lo0 }"
                                          WAN = "{ xl0 }"
                                          LAN = "{ bge1 }"
                                          ADSL = "{ bge0 }"
                                          
                                          #SSH Lockout Table
                                          table <sshlockout>persist
                                          table <webconfiguratorlockout>persist
                                          #Snort tables
                                          table <snort2c>table <virusprot># User Aliases 
                                          table <lanvisitantes>{   10.0.0.0/24 } 
                                          LanVisitantes = "<lanvisitantes>"
                                          
                                          # Gateways
                                          GWGWADSL = " route-to ( bge0 192.168.1.100 ) "
                                          GWGWWAN = " route-to ( xl0 177.135.88.153 ) "
                                          GWGWLANNS100 = " route-to ( bge1 192.168.0.254 ) "
                                          GWGWLANRV042 = " route-to ( bge1 192.168.0.251 ) "
                                          GWGW_Group = "  route-to { ( bge0 192.168.1.100 )  }  "
                                          
                                          set loginterface bge1
                                          set optimization normal
                                          set limit states 96000
                                          set limit src-nodes 96000
                                          
                                          set skip on pfsync0
                                          
                                          scrub in on $WAN all    fragment reassemble
                                          scrub in on $LAN all    fragment reassemble
                                          scrub in on $ADSL all    fragment reassemble
                                          
                                          no nat proto carp
                                          no rdr proto carp
                                          nat-anchor "natearly/*"
                                          nat-anchor "natrules/*"
                                          
                                          # Outbound NAT rules
                                          
                                          # Subnets to NAT 
                                          tonatsubnets	= "{ 192.168.0.0/24 192.168.1.0/24 127.0.0.0/8  }"
                                          nat on $WAN  from $tonatsubnets port 500 to any port 500 -> 177.135.88.154/32 port 500  
                                          nat on $WAN  from $tonatsubnets to any -> 177.135.88.154/32 port 1024:65535  
                                          
                                          # Load balancing anchor
                                          rdr-anchor "relayd/*"
                                          # TFTP proxy
                                          rdr-anchor "tftp-proxy/*"
                                          table <negate_networks>{ 177.135.88.152/29 192.168.0.0/24 192.168.1.0/24 }
                                          # UPnPd rdr anchor
                                          rdr-anchor "miniupnpd"
                                          
                                          anchor "relayd/*"
                                          #---------------------------------------------------------------------------
                                          # default deny rules
                                          #---------------------------------------------------------------------------
                                          block in log all label "Default deny rule"
                                          block out log all label "Default deny rule"
                                          
                                          # We use the mighty pf, we cannot be fooled.
                                          block quick proto { tcp, udp } from any port = 0 to any
                                          block quick proto { tcp, udp } from any to any port = 0
                                          
                                          # Block all IPv6
                                          block in quick inet6 all
                                          block out quick inet6 all
                                          
                                          # Snort package
                                          block quick from <snort2c>to any label "Block snort2c hosts"
                                          block quick from any to <snort2c>label "Block snort2c hosts"
                                          block in log quick proto carp from (self) to any
                                          pass quick proto carp
                                          pass quick proto pfsync
                                          
                                          # SSH lockout
                                          block in log quick proto tcp from <sshlockout>to any port 22 label "sshlockout"
                                          
                                          # webConfigurator lockout
                                          block in log quick proto tcp from <webconfiguratorlockout>to any port 80 label "webConfiguratorlockout"
                                          block in quick from <virusprot>to any label "virusprot overload table"
                                          antispoof for xl0
                                          antispoof for bge1
                                          antispoof for bge0
                                          
                                          # loopback
                                          pass in on $loopback all label "pass loopback"
                                          pass out on $loopback all label "pass loopback"
                                          # let out anything from the firewall host itself and decrypted IPsec traffic
                                          pass out all keep state allow-opts label "let out anything from firewall host itself"
                                          pass out route-to ( xl0 177.135.88.153 ) from 177.135.88.154 to !177.135.88.152/29 keep state allow-opts label "let out anything from firewall host itself"
                                          # make sure the user cannot lock himself out of the webConfigurator or SSH
                                          pass in quick on bge1 proto tcp from any to (bge1) port { 80 22 } keep state label "anti-lockout rule"
                                          
                                          # User-defined rules follow
                                          
                                          anchor "userrules/*"
                                          pass  on {  xl0  bge1  bge0  }  inet proto icmp  from any to any keep state  label "USER_RULE"
                                          pass  in  quick  on $WAN reply-to ( xl0 177.135.88.153 )  inet proto icmp  from any to any keep state  label "USER_RULE"
                                          pass  in  quick  on $LAN  inet proto icmp  from any to any keep state  label "USER_RULE"
                                          pass  in  quick  on $LAN  from 192.168.0.0/24 to any keep state  label "USER_RULE: Default allow LAN to any rule"
                                          pass  in  quick  on $LAN  from   $LanVisitantes to any keep state  label "USER_RULE"
                                          pass  in  quick  on $LAN  from any to   $LanVisitantes keep state  label "USER_RULE"
                                          pass  in  quick  on $ADSL  inet proto icmp  from any to any keep state  label "USER_RULE"
                                          
                                          # VPN Rules
                                          anchor "tftp-proxy/*"</virusprot></webconfiguratorlockout></sshlockout></snort2c></snort2c></negate_networks></lanvisitantes></lanvisitantes></virusprot></snort2c></webconfiguratorlockout></sshlockout> 
                                          

                                          So, I erased the VIP and created again, without a gateway on LAN interface, reset states, and now 10.0.0.8 cannot even ping 10.0.0.5. Packets and state table:

                                          16:45:12.039107 ARP, Request who-has 10.0.0.8 tell 10.0.0.5, length 28
                                          16:45:17.539196 ARP, Request who-has 10.0.0.8 tell 10.0.0.5, length 28
                                          


                                          1 Reply Last reply Reply Quote 0
                                          • jimp
                                            jimp Rebel Alliance Developer Netgate last edited by

                                            Closer..

                                            # Subnets to NAT 
                                            tonatsubnets	= "{ 192.168.0.0/24 192.168.1.0/24 127.0.0.0/8  }"
                                            
                                            

                                            It is getting your other subnets but not the 10.x.x.x one.

                                            Make sure the IP alias VIP has the proper subnet mask set (not /32).

                                            1 Reply Last reply Reply Quote 0
                                            • M
                                              mmerlone last edited by

                                              @jimp:

                                              It is getting your other subnets but not the 10.x.x.x one.
                                              Make sure the IP alias VIP has the proper subnet mask set (not /32).

                                              /24


                                              1 Reply Last reply Reply Quote 0
                                              • jimp
                                                jimp Rebel Alliance Developer Netgate last edited by

                                                And that IP alias is on the correct interface? (LAN)

                                                Check Diagnostics > Routes, paste the output here, it might give some more clues.

                                                1 Reply Last reply Reply Quote 0
                                                • M
                                                  mmerlone last edited by

                                                  @jimp:

                                                  And that IP alias is on the correct interface? (LAN)

                                                  Oops, well noted. Was not. Corrected and now 10.0.0.8 can ping 10.0.0.5, but not yet 8.8.8.8.

                                                  @jimp:

                                                  Check Diagnostics > Routes, paste the output here, it might give some more clues.

                                                  Attached.


                                                  1 Reply Last reply Reply Quote 0
                                                  • jimp
                                                    jimp Rebel Alliance Developer Netgate last edited by

                                                    OK that all looks good now - and if you check /tmp/rules.debug and look for tonatsubnets - the 10.x.x.x network still doesn't show up?

                                                    If not, then you probably will need to go to outbound NAT, delete any rules there, and switch to manual outbound NAT once more. Then add a rule for 10.x.x.x.

                                                    1 Reply Last reply Reply Quote 0
                                                    • M
                                                      mmerlone last edited by

                                                      @jimp:

                                                      OK that all looks good now - and if you check /tmp/rules.debug and look for tonatsubnets - the 10.x.x.x network still doesn't show up?

                                                      Nope:

                                                      # Subnets to NAT 
                                                      tonatsubnets	= "{ 192.168.0.0/24 192.168.1.0/24 127.0.0.0/8  }"
                                                      nat on $WAN  from $tonatsubnets port 500 to any port 500 -> x.x.x.154/32 port 500  
                                                      nat on $WAN  from $tonatsubnets to any -> x.x.x.154/32 port 1024:65535  
                                                      
                                                      

                                                      @jimp:

                                                      If not, then you probably will need to go to outbound NAT, delete any rules there, and switch to manual outbound NAT once more. Then add a rule for 10.x.x.x.

                                                      Why can't that be automatic? Why life can't be easy? Why there's no Santa Claus?
                                                      Did not delete existing rules, they look good for me. I just added new NAT rule, reset states, and this time got luck, 10.0.0.8 now pings 8.8.8.8.

                                                      Now the questions:
                                                      Is that a bug or feature?
                                                      If not a feature, where can I request it?

                                                      This box will replace an old Netscreen, 1:1 NATing a bunch of servers, responsible for our internet presence, connect two remote offices, provide IPsec VPN for mobile warriors, and some more I don't remember now.

                                                      Will leave on vacation now and get back on january 7 to finish this. Happy holidays, merry Christmas, happy end-of-the-world, happy new year, and many thanks for your almost-chat support. I was almost ditching pfsense.

                                                      Best regards,

                                                      –
                                                      Marcio Merlone

                                                      1 Reply Last reply Reply Quote 0
                                                      • jimp
                                                        jimp Rebel Alliance Developer Netgate last edited by

                                                        I had thought it was automatic, but it's apparently not (at least on the version you're using, I don't know about 2.1)

                                                        Using multiple subnets on a single interface in that was is still mostly an edge case. Most people put distinct subnets on separate VLANs or interfaces.

                                                        1 Reply Last reply Reply Quote 0
                                                        • First post
                                                          Last post

                                                        Products

                                                        • Platform Overview
                                                        • TNSR
                                                        • pfSense
                                                        • Appliances

                                                        Services

                                                        • Training
                                                        • Professional Services

                                                        Support

                                                        • Subscription Plans
                                                        • Contact Support
                                                        • Product Lifecycle
                                                        • Documentation

                                                        News

                                                        • Media Coverage
                                                        • Press
                                                        • Events

                                                        Resources

                                                        • Blog
                                                        • FAQ
                                                        • Find a Partner
                                                        • Resource Library
                                                        • Security Information

                                                        Company

                                                        • About Us
                                                        • Careers
                                                        • Partners
                                                        • Contact Us
                                                        • Legal
                                                        Our Mission

                                                        We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                                                        Subscribe to our Newsletter

                                                        Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                                                        © 2021 Rubicon Communications, LLC | Privacy Policy