Disable NAT issue



  • Dear Fellows ,

    I need your help , cause i cannot figure out where is the problem .
    I want to install a pfsense box as a firewall/Router/ Proxy but not as an internet gateway .

    This is a basic diagram for what i want to do :
                                                                                      1841
                                                                                    /====> Wan1
                                                                                    /
    LAN ==> Layer 3 Switch (routing for Vlans) ==>Pfsense            (Loadbalancing with failover)
                                                                                    \ 1841
                                                                                    ====> Wan2

    The problem is that when i disable the nat the lan cannot reach the internet not
    even the routers  …

    So in a test environment i just make it simple to troubleshoot the issue ...

    Test environment diagram  :

    172.16.100.0/24                            10.10.1.0/24                                  adsl
    Laptop ==============> Pfsense ================> Router/modem ==> Internet

    ==============================================================

    ADSL Router Modem config :

    NAT for outbound
    WAN :PPPoE

    Lan
    IP Address : 10.10.1.254
    Subnet :      255.255.255.0

    Static Routes :
    Destination        Netmask            Gateway    Metric
    172.16.0.0          255.255.0.0      10.10.1.1      2

    ==============================================================

    Pfsense Config :

    WAN : 
    IP address :  10.10.1.1 /24
    Gateway:      10.10.1.254

    Lan :
    IP Address:  172.16.100.254/24

    Nat disable ==> https://doc.pfsense.org/index.php/Outbound_NAT

    Routes : 172.16.0.0/16  interface : LAN  Gateway 172.16.100.1

    ================================================================

    Laptop config :

    IP address : 172.16.100.1
    Netmask :    255.255.255.0
    Gateway:    172.16.100.254
    Dns      :      172.16.100.254

    I have double checked everything ! Cables , configurations , etc .
    I cannot figure out why i cannot even ping the adsl modem from the laptop ( i can from the Pfsense Box )  :-\

    there is no firewall at the adsl modem not even in the pfsense .  :'(

    I look forward for your response .

    Cheers



  • You need static routes on the modems:
    network 172.16.100.0/24 gateway 10.10.1.1



  • @rubic:

    You need static routes on the modems:
    network 172.16.100.0/24 gateway 10.10.1.1

    Dear Rubic ,
    Thanx for your reply .
    But i already have static route on the modem .

    @usabug:

    ==============================================================

    ADSL Router Modem config :

    NAT for outbound
    WAN :PPPoE

    Lan
    IP Address : 10.10.1.254
    Subnet :      255.255.255.0

    Static Routes :
    Destination        Netmask            Gateway    Metric
    172.16.0.0          255.255.0.0      10.10.1.1      2

    Any other idea ??



  • @usabug:

    Dear Rubic ,
    Thanx for your reply .
    But i already have static route on the modem

    Sorry I missed it.
    Everything seems ok except of '172.16.0.0/16  interface : LAN  Gateway 172.16.100.1' pfSense route which is unnecessary.



  • On pfsense WAN interface, did you disable block private networks? Remove static routes on pfsense LAN interface, do not put gateway address also.

    The only default route should exists on pfsense is the WAN interface should have gateway address which is points to the adsl LAN IP.

    ADSL modem should also have default routes 0.0.0.0/0.0.0.0 to its WAN gateway.



  • @rubic:

    Sorry I missed it.
    Everything seems ok except of '172.16.0.0/16  interface : LAN  Gateway 172.16.100.1' pfSense route which is unnecessary.

    Dear Rubic ,

    Yes you are correct that is not necessary but since i will have about 10 Vlans in the future and the rooting will be done with a layer 3 switch the pfsense will not know how to route the packages to the vlans . The pfsense as a router nows only the connected interfaces and that everything else should go out from wan interface .

    @jswj:

    On pfsense WAN interface, did you disable block private networks? Remove static routes on pfsense LAN interface, do not put gateway address also.

    The only default route should exists on pfsense is the WAN interface should have gateway address which is points to the adsl LAN IP.

    ADSL modem should also have default routes 0.0.0.0/0.0.0.0 to its WAN gateway.

    Dear jswj ,

    I have already disable the private networks . I need static routes . I have already explained why above .
    The adsl modem is working as it should. It has internet connectivity  , it has static routes for the Pfsense lans  , and if i connect the laptop directly to the adsl modem i can browse the internet .

    Anyway i will make a clean installation  to an other server and i will post the results .



  • if you disable NAT on pfsense, you need a static route to be set, like i have mentioned earlier.

    pfsense:
    -> remove LAN gateway IP from LAN interface
    -> WAN gateway should point to ADSL_LAN_IP
    -> set to manual NAT, and remove all the NAT mappings, this will enable pfsense as a router with filtering
    -> create firewall rules of LAN any to any for the time being

    on the ADSL modem:
    -> 0.0.0.0/32 gateway ADSL_WAN_GW_IP
    -> 172.16.100.0/24 gateway pfsense_WAN_IP

    that routing configuration  tells pfsense to route everything other than LAN to the modem, and in order for the ADSL modem to understand what is on the other side of the pfsense, it has another static route to the network 172.16.100.0/24 via its next hop, pfsense WAN IP, the rest ADSL modem will route to its own WAN gateway IP, which is the internet.

    This were actually basic routing issue. When pfsense act as a router, it basically knows how to route everything on its own interfaces, but since internet is the next hop of its WAN interface, you need the 0.0.0.0/0.0.0.0 routing, which was the ADSL LAN IP, hence the next hop.

    I would guess you only missing the static  default route inside the pfsense and you must remove pfsense LAN gateway, set to none.



  • @jswj:

    if you disable NAT on pfsense, you need a static route to be set, like i have mentioned earlier.

    pfsense:
    -> remove LAN gateway IP from LAN interface
    -> WAN gateway should point to ADSL_LAN_IP
    -> set to manual NAT, and remove all the NAT mappings, this will enable pfsense as a router with filtering
    -> create firewall rules of LAN any to any for the time being

    on the ADSL modem:
    -> 0.0.0.0/32 gateway ADSL_WAN_GW_IP
    -> 172.16.100.0/24 gateway pfsense_WAN_IP

    that routing configuration  tells pfsense to route everything other than LAN to the modem, and in order for the ADSL modem to understand what is on the other side of the pfsense, it has another static route to the network 172.16.100.0/24 via its next hop, pfsense WAN IP, the rest ADSL modem will route to its own WAN gateway IP, which is the internet.

    This were actually basic routing issue. When pfsense act as a router, it basically knows how to route everything on its own interfaces, but since internet is the next hop of its WAN interface, you need the 0.0.0.0/0.0.0.0 routing, which was the ADSL LAN IP, hence the next hop.

    I would guess you only missing the static  default route inside the pfsense and you must remove pfsense LAN gateway, set to none.

    Dear Jswj ,

    if i remove the lan static route then the pfsense box will route everything else , except 172.16.100.0/24 to the wan interface which is wrong .

    Since i will have about 10 Vlans in the future and the rooting will be done with a layer 3 switch the pfsense will not know how to route the packages to the vlans . The pfsense as a router nows only the connected interfaces and that everything else should go out from wan interface .

    So i need that static route .

    Regarding the default gateway : It is already configured through the :

    System ==> Routing ==> Gateways ==> Wan1 ==> [V] Default Gateway  .

    My problem is not routing issue . Its definitely code issue  or configuration issue .

    Anyway thank you once more for your kind reply !



    • On your Layer 3 switch, if you already set intervlan routing correctly, add default route 0.0.0.0 0.0.0.0 gateway pfsense_LAN_ip

    • On pfsense add static route 172.16.0.0/16 gateway switch_LAN_IP_VLAN1, if your pfsense_LAN_IP=172.16.100.254, the Layer 3 switch IP should be on this subnet, maybe switch_LAN_IP_VLAN1=172.16.100.1??

    • On pfsense WAN interface, go to Interface->WAN, change gateway IP from NONE to ADSL_LAN_IP.
      do not set gateway on LAN interface.

    • On ADSL modem, must already exists static route 0.0.0.0 0.0.0.0 to its WAN gateway, add another static route 172.16.0.0/16 gateway pfsense_WAN_IP

    • To enable routing only with firewall on pfsense, go to firewall ->NAT, set outbound NAT to manual, and first off, delete all mappings exists.

    • Add WAN and LAN rules on pfsense to just open everything for now, any to any, any protocol, any ports.

    Regards,
    Julius



  • @jswj:

    • On your Layer 3 switch, if you already set intervlan routing correctly, add default route 0.0.0.0 0.0.0.0 gateway pfsense_LAN_ip

    • On pfsense add static route 172.16.0.0/16 gateway switch_LAN_IP_VLAN1, if your pfsense_LAN_IP=172.16.100.254, the Layer 3 switch IP should be on this subnet, maybe switch_LAN_IP_VLAN1=172.16.100.1??

    • On pfsense WAN interface, go to Interface->WAN, change gateway IP from NONE to ADSL_LAN_IP.
      do not set gateway on LAN interface.

    • On ADSL modem, must already exists static route 0.0.0.0 0.0.0.0 to its WAN gateway, add another static route 172.16.0.0/16 gateway pfsense_WAN_IP

    • To enable routing only with firewall on pfsense, go to firewall ->NAT, set outbound NAT to manual, and first off, delete all mappings exists.

    • Add WAN and LAN rules on pfsense to just open everything for now, any to any, any protocol, any ports.

    Regards,
    Julius

    Dear Julius ,
    Thank you for the info .
    I will try and i will let you know .
    Regards ,

    Michael



  • @usabug:

    Dear Julius ,
    Thank you for the info .
    I will try and i will let you know .
    Regards ,

    Michael

    You welcome, Michael.

    Also, I play around a little bit with Packet Tracer to simulate your situation, I hope this is what you are looking for:

    Like I was mentioned before, you need to sort out routing on each device, specially on the Layer 3 switch inter vlan. The configuration above works ok, from the PC on each VLAN are able to connect up to the MODEM WAN interface. Do not mind the right side of the modem, as I only try to pretend that the WAN side is the internet.



  • @jswj:

    You welcome, Michael.

    Also, I play around a little bit with Packet Tracer to simulate your situation, I hope this is what you are looking for:

    Like I was mentioned before, you need to sort out routing on each device, specially on the Layer 3 switch inter vlan. The configuration above works ok, from the PC on each VLAN are able to connect up to the MODEM WAN interface. Do not mind the right side of the modem, as I only try to pretend that the WAN side is the internet.

    Dear Julius ,

    Once again thank you for your time and your reply .
    The problem believe me in not the cisco devises !
    I can configured them to do whatever you  want .  Routing with any protocol you want , swiching at any level  , pbr , sla , etc ….

    my problem is with the pfsense box ...  it doesnt make any sense at all ! i am able to configure an asa in 5 minutes , and i cannot configure the pfsense just not to do nating the whole week . xa xa xa xa

    it is ridiculous .

    Anyway once again thank you for your time .


Log in to reply