NAT not passing traffic from WAN-2



  • Running successfully pfSense 2.1.4, entire class 'C' with 1-WAN, 1-LAN, 3-DMZ currently.
    Attempting to transition LAN to private net and use 2nd WAN with 3 IP's from cable provider.
    Will move to future WAN failover, but simply putting a few local machines on separate net is current goal.
    NOT trying to do dual WAN now. Just need simple NAT for 2nd WAN to a few dedicated machines for now.

    current (working)…
    WAN-1: x.x.x.2/24 default gateway x.x.x.1 (to router) - shows Online
    LAN-1: x.x.x.65/26

    new (including above)...
    WAN-2: y.y.y.43/27 gateway y.y.y.33 (Cisco 3010 transparent bridge) - shows Online
    WAN-2: y.y.y.44/27 IP Alias
    WAN-2: y.y.y.45/27 IP Alias
    LAN-1: 192.168.43.1/24 Proxy ARP (I've tried IP Alias too)

    Turned on AON months ago.
    ADDED Outbound rule: WAN-2 net:192.168.43.0/24 any any any WAN-2 address any no (1st rule at top)

    • the rest of the outbound rules were auto generated for WAN-1 prior to WAN-2 config

    Rules (specific to NAT - existing class C rules work fine)...
    WAN-2: IPv4 192.168.43.0/24 any any any
    WAN-2: IPv4 any any 192.168.43.0/24
    WAN-2: IPv4 any any WAN-2 address
    WAN-2: IPv4 WAN-2 address any any any
    LAN-1: IPv4 192.168.43.0/24 any any any
    LAN-1: IPv4 any any 192.168.43.0/24

    I am running tcpdump on firewall box...
    WAN-2: y.y.y addresses
    LAN-1: 192.168.43 addresses

    host200: 192.168.43.200/24 gateway 192.168.43.1

    • test machine with only private net

    • ping y.y.y.33 from host200 - see ICMP echo request, but no reply on LAN-1
      (no web http replies or DNS replies either)

    • I see gateway ping checks on WAN-2

    • could ping 192.168.43.1 when using IP alias

    • now with IP Proxy, I can't ping 192.168.43.1

    • I can ping y.y.y.33 on WAN-2

    Simply looks like the NAT isn't passing between the private net and the WAN interface.
    Just trying to get .43 working now, I will add 192.168.44.0/24 and 192.168.45.0/24 NAT for other IP's later.

    I spent a week on this last November and just spent another 3 days on it now.
    I have scoured the forums and net, but I can't see what I'm doing wrong.
    I'm sure I've overlooked something !!

    Any help or guidance would be very much appreciated.

    BTW, pfSense is absolutely incredible. Better interface and more capability than the big expensive product we used for years prior.