• Hello,

    I'm not sure if this is a bug or a feature :)  I discovered that when the LAN IP is set via DHCP (dhcp server is not pfSense – DHCP reservation), NAT functionality breaks.  Meaning, any client that uses the IP address that DHCP set on LAN interface as gateway cannot NAT to WAN IP.

    The use case for setting LAN IP via DHCP = cloud server template.  As a service provider we assign all IPs via DHCP reservations.

    When the LAN IP is set statically, all is good.

    Question -- is this the intended behavior?
    Question -- Is there any way of allowing both WAN and LAN IPs to be set via DHCP with NAT working?  ( I have a specific use case, where this is desired )
    Question -- Is this a bug?  Is there a known workaround that can be implemented?

    Thank you.

  • I suspect this is not a very common configuration requirement and hence is probably not well tested.

    What build of pfSense are you using? (That might be significant.)

  • Latest stable.  2.0.3.  64 bit.

  • Rebel Alliance Developer Netgate

    When set for DHCP, an interface is considered a WAN and thus does NOT get considered as a source for automatic outbound NAT. If you want to set LAN to use DHCP, you'll need to use Manual Outbound NAT and specify a proper source for the network.

    You will also need to either set the "disable reply-to" option on all LAN-side rules, or disable reply-to globally under System > Advanced on the Firewall/NAT tab.

    Otherwise it should work OK. Not really a good/standard config, but it should work.

  • Thanks for clarifying.  I totally understand the default behavior.  As a service provider we have integrated automatic IP address assignment of VM interfaces via DHCP.  It would be great if pfSense had the ability to define both WAN and LAN interfaces using DHCP.  Unfortunately disabling the automatic NAT would create additional configuration challenges.  In the web console, I noticed that the LAN interface can be set to DHCP assignment, where as in the CLI menu interface, no DHCP on LAN can be set.  The only options in the CLI are a manually set IP address with subnet or NONE.

    First time dealing with something like this with pfSense.  Where would I file a feature request  /  bug report?

    Thank you.

  • Rebel Alliance Developer Netgate

    You can make an alias for rfc1918 nets (192.168/16, 172.16/12, 10/8) and set manual outbound NAT to source from those so it would catch anything 'private'. There shouldn't be any other problems you'd encounter with manual vs automatic outbound NAT.

    I'm not sure a feature request for that would get much traction as it's not very common and it's easy to work around with available settings.

  • Netgate Administrator

    Slightly off topic (appologies Deeepdish) but there is already some internal alias defined for rfc1918 networks. Is there some good reason why it's not available for general use?


  • Rebel Alliance Developer Netgate

    There isn't, but it's on the to-do list.

Log in to reply