Can i nat a public ip on local pfsense lan gateway?



  • Hi all,
    this is my ipotetic situation:

    three public ip –  wan -- pfsense --  lan1 192.168.192.1
                                                            lan2 192.168.18.1  -- wan router ip 192.168.18.2
                                                            lan3 192.168.22.1

    i have three public ip, and i want that all pc behind lan1, out with public ip two. Lan1, is the gateway for their .
    I have a router behind lan2, so i nat 1:1 one public ip on wan router ip. It run!
    But i am not able to nat one public ip on lan1, so my client behind lan1 use the first public ip!!!!

    I have created an virtual ipand i have created a NAT rule.
    Virtual Ip:
    Ip Alias    interface Wan  address: "mysecondarypublicip"/32
    Nat 1:1:  interface Wan  External Ip "mysecondarypublicip"/32    internal ip "network 192.168.192.0/24" destination any NAT reflection ENABLE

    Where is the problem????


  • Netgate

    1:1 means 1:1.  You have 1:253.

    If you want the 192.168.192.0/24 to all use the mysecondarypublicip/32 address when they initiate an outbound connection you need to change NAT outbound to manual and create a rule mapping that internal network to the desired external IP.



  • @Derelict:

    1:1 means 1:1.  You have 1:254.

    If you want the 192.168.192.0/24 to all use the mysecondarypublicip/32 address when they initiate an outbound connection you need to change NAT outbound to manual and create a rule mapping that internal network to the desired external IP.

    Hi Derelict (great nick lol!!!"

    Now i have undestrood a new concept!! nat 1:1 is for one ip (for example, lan2 in my case, right?!)

    others questions:

    • with NAT outbound manual rule, i can use ipsec vpn? because in my case, i need to use one ipsec vpn tunnel
    • NAT outbound rule, is for me a new concept…. and my baaaaad english not help me (but this year, i will spend my vacations on london to study it!!!!)
      If i enable manual outbound rule, then can i have many problems (because i don't know it?)
      i cannot add one manual rile with automatic nat outbound rule enabled?
    • can you make me an exable?

    Really sorry for my english and also for the manyyyyyy questions, but is work and i want to work well!

    tnx so much


  • Netgate

    When you enable manual NAT outbound it will populate the manual rule set with all the current auto rules so you won't lose anything.  This includes the IPsec rules.

    All you have to do is not break anything.  :)



  • tnx Derelict, it wonderful!

    I am trining again.
    So:

    three public ip –  wan -- pfsense --  lan1 192.168.192.1
                                                            lan2 192.168.18.1  -- wan router ip 192.168.18.2
                                                            lan3 192.168.22.1

    In this moment, all the clients behind my lan1 come with the second public ip. I remenber that the second public ip is a virtual ip. So, the Outbound nat rule work.
    But i cannot do ipsec with this public ip, i can use only the first public ip...... if i put the second public ip on the ipsec profile on pfsense that call the vpn, i receive this error from log:

    racoon: []: [Myremotepublicip] ERROR: phase2 negotiation failed due to time up waiting for phase1 [Remote Side not responding]. ESP Myremotepublicip[0]->Mylocalpublicip[0]

    Pfsense: it is a love, but i make me crazy!


  • Netgate

    Make sure you duplicate the IPsec passthrough entries.  There should be an entry for "Auto created rule for ISAKMP - LAN to WAN"  you can reference.



  • sorry derelict, but i don't understand this step….. maybe my baaad english? i think  :'(

    May i need to create a new rule (in fact, in automatic nat outbound rule generation, i can see "Ipsec passthrouch included)...

    I don'f found any option with "Auto created rule for ISAKMP - LAN to WAN" ...... mhhh.....

    Maybe is a similar rule https://www.google.it/search?q=pfsense+Auto+created+rule+for+ISAKMP+-+LAN+to+WAN&safe=off&client=firefox-a&hs=5x&rls=org.mozilla🇮🇹official&channel=fflb&source=lnms&tbm=isch&sa=X&ei=dl7bU_apOIWk0QW83oCYAw&ved=0CAoQ_AUoAw&biw=1280&bih=953#facrc=&imgdii=&imgrc=k2uTplclX1cJvM%253A%3BPR65AvcntbfHjM%3Bhttp%253A%252F%252Fwww.bodenzord.com%252Fwp-content%252Fuploads%252F2014%252F04%252FPIA_NAT_Configure.gif%3Bhttp%253A%252F%252Fwww.bodenzord.com%252Farchives%252F324%3B780%3B787
    but i am noob in this argument, sorry


  • Netgate

    It's in the manual NAT page.  You need to set a rule above the one you set to map outbound NAT for your network to the secondary IP, but this one matches on port 500 and sets the static port option and the secondary IP.

    You're working on IPsec devices going through NAT, not a site-to-site from pfSense or a mobile client server on pfSense right?

    ![Screen Shot 2014-08-01 at 8.56.03 AM.png](/public/imported_attachments/1/Screen Shot 2014-08-01 at 8.56.03 AM.png)
    ![Screen Shot 2014-08-01 at 8.56.03 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2014-08-01 at 8.56.03 AM.png_thumb)
    ![Screen Shot 2014-08-01 at 9.03.53 AM.png](/public/imported_attachments/1/Screen Shot 2014-08-01 at 9.03.53 AM.png)
    ![Screen Shot 2014-08-01 at 9.03.53 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2014-08-01 at 9.03.53 AM.png_thumb)



  • no Derelict, not work….

    But now i try others option.

    Plese, read your private message, i need one privat information

    Regards



  • derelict, sorry but i have many difficulty to understand you. In this moment, i must leave my project…..
    i try to show you my situation with example and screenshot. Now, my brain is very fuse (and i am unhappy :( )

    ippublic1
    ippublic2 virtual                      lan1 (vlan1)    vpnipsec
    ippublic3 virtual    pfsense    lan2 (vlan2)    vpnipsec
    ippublic4 virtual                      lan3 nat1:1 ---- router

    behind lan2:  i have some client. this clients must exit this ippublic3 virtual.
    For do this, i need to: manual outbound rule, in the first imange. If i don't put the ippublic3, my clients behind lan2 exit with the ippublic1 (no virtual ip)
    Show in the second line.
    the first is as you said

    in this moment, this ipsec vpn run!!!
    the imange show you the parameters

    Where is/are the error(s)?
    Maybe i am trying to do the impossible?

    headache.

    The first ipsec not run.... but this is another problem.
    On lan4 i think that there aren't problems, because nat 1:1 is not nat 1:254  ;)

    pleeeeeeasseeeee, help me otherwise i will kill me hanging myself with a patch cord on computer room!

    Regards and tnx

    ![1 Firewall_ NAT_ Outbound.png](/public/imported_attachments/1/1 Firewall_ NAT_ Outbound.png)
    ![1 Firewall_ NAT_ Outbound.png_thumb](/public/imported_attachments/1/1 Firewall_ NAT_ Outbound.png_thumb)






  • Netgate

    OK.  So you're talking about site-to-site VPN, not IPsec passthrough.

    In your first image, 1 Firewall_ NAT_ Outbound.png, the rules say this:

    1. If WAN1 has traffic sourced from 192.168.35.0/24:any destined for any:500, translate the source address to "WAN1 address" and use static ports

    2. If WAN1 has traffic sourced from 192.168.35.0/24:any destined for any:any, translate the source address to "ippublic3"

    The first rule is for clients on the 192.168.35.0/24 who are making IPSec connections from their devices, like with Cisco VPN client or AnyConnect, etc.  It has nothing to do with pfSense establishing a site-to-site IPSec tunnel.

    As for your VPN tunnels, both ends have to match.  You determine what traffic you allow INTO your network FROM the remote VPN networks with rules in the IPSec interface.

    My advice is to back off, work one interface at a time, get your manual NAT where you want it for each, then move to the VPN, one tunnel at a time.  You might save more time resetting your configuration to factory, reentering your virtual IPs, resetting your LAN interfaces, selecting Manual NAT and taking a good look at the rules so you understand them.  All you should have to change are the "NAT address" columns in the automatic rules.



  • OK.  So you're talking about site-to-site VPN, not IPsec passthrough.

    In your first image, 1 Firewall_ NAT_ Outbound.png, the rules say this:

    1. If WAN1 has traffic sourced from 192.168.35.0/24:any destined for any:500, translate the source address to "WAN1 address" and use static ports

    so, is it wrong? because i think that all traffic sourced from 192.168.35.0/24:any destined for any:any,. it should be translate to "ippublic3"…. right?

    2. If WAN1 has traffic sourced from 192.168.35.0/24:any destined for any:any, translate the source address to "ippublic3"

    In this mode, when from my client i check the public ip, is ippublic3, so i  think that this rule is right

    The first rule is for clients on the 192.168.35.0/24 who are making IPSec connections from their devices, like with Cisco VPN client or AnyConnect, etc.  It has nothing to do with pfSense establishing a site-to-site IPSec tunnel.

    really? o my god…. i have not understand nothing...... ARG!

    As for your VPN tunnels, both ends have to match.  You determine what traffic you allow INTO your network FROM the remote VPN networks with rules in the IPSec interface.

    i add a little thing: i have the same configuration on other pfsense, behind another pfsense with nat 1:1: it run!
    my new project serving to simplify and reduce the number of pfsense.

    My advice is to back off, work one interface at a time, get your manual NAT where you want it for each, then move to the VPN, one tunnel at a time.  You might save more time resetting your configuration to factory, reentering your virtual IPs, resetting your LAN interfaces, selecting Manual NAT and taking a good look at the rules so you understand them.  All you should have to change are the "NAT address" columns in the automatic rules.

    i am not happy to listen this, but i think what you're right…. in this moment i am very confused!

    ok, i will resetting my pfsense or is better reinstall it?

    My future pfsense:

    ippublic1                            wan pfsense      -  lan1    (lan service to catch up my pfsense, with anti lookup rule)
    ippublic2 (virutal ip)                                      - lan2    (lan for other logical lan with vlan)
                                                                              |
                                                                            lan3    (on vlan3, with ippublic2 and class 192.168.35.1), when ipsec tunel

    Is ok to test all?


  • Netgate

    @cybermod:

    OK.  So you're talking about site-to-site VPN, not IPsec passthrough.

    In your first image, 1 Firewall_ NAT_ Outbound.png, the rules say this:

    1. If WAN1 has traffic sourced from 192.168.35.0/24:any destined for any:500, translate the source address to "WAN1 address" and use static ports

    so, is it wrong? because i think that all traffic sourced from 192.168.35.0/24:any destined for any:any,. it should be translate to "ippublic3"…. right?

    I don't think that rule has anything to do with your situation because you're not using IPsec VPN clients from behind your NAT.  If you WERE using IPsec VPN clients from behind NAT, they would look like they were coming from "WAN address"  If you wanted them to come from ippublic3, you'd need to change that rule.

    2. If WAN1 has traffic sourced from 192.168.35.0/24:any destined for any:any, translate the source address to "ippublic3"

    In this mode, when from my client i check the public ip, is ippublic3, so i  think that this rule is right

    Ok.

    My advice is to back off, work one interface at a time, get your manual NAT where you want it for each, then move to the VPN, one tunnel at a time.  You might save more time resetting your configuration to factory, reentering your virtual IPs, resetting your LAN interfaces, selecting Manual NAT and taking a good look at the rules so you understand them.  All you should have to change are the "NAT address" columns in the automatic rules.

    i am not happy to listen this, but i think what you're right…. in this moment i am very confused!

    ok, i will resetting my pfsense or is better reinstall it?

    My future pfsense:

    ippublic1                            wan pfsense      -  lan1    (lan service to catch up my pfsense, with anti lookup rule)
    ippublic2 (virutal ip)                                      - lan2    (lan for other logical lan with vlan)
                                                                              |
                                                                            lan3    (on vlan3, with ippublic2 and class 192.168.35.1), when ipsec tunel

    Is ok to test all?

    A couple things to note.

    The only thing you should need to change after switching to manual outbound NAT is the "NAT Address" for the LAN3 rules (set to ippublic2 based on your new diagram).

    Then just set up the IPsec tunnel.  You need to set the Interface in the IPsec configuration to the interface or virtual IP you want the IPsec to connect from and listen on (and that the other side is expecting to connect with).

    Those are really the only two changes from a "normal" config that I can see.

    Resetting to factory should be fine, as long as all the changes you've made were using the webAdmin and you haven't been making changes using the command line.  If you've been doing that, I'd reinstall.



  • I don't think that rule has anything to do with your situation because you're not using IPsec VPN clients from behind your NAT.  If you WERE using IPsec VPN clients from behind NAT, they would look like they were coming from "WAN address"  If you wanted them to come from ippublic3, you'd need to change that rule.

    ok, maybe i explain my situation very bad
    Not client vpn for the clients beghind 192.168.35.0/24. The vpn is site to site between this gateway and another remote gateway.
    This because the clients behind 192.168.35.0/24 must have access at a remote server with an application and some printers

    A couple things to note.

    The only thing you should need to change after switching to manual outbound NAT is the "NAT Address" for the LAN3 rules (set to ippublic2 based on your new diagram).

    Then just set up the IPsec tunnel.  You need to set the Interface in the IPsec configuration to the interface or virtual IP you want the IPsec to connect from and listen on (and that the other side is expecting to connect with).

    Those are really the only two changes from a "normal" config that I can see.

    Resetting to factory should be fine, as long as all the changes you've made were using the webAdmin and you haven't been making changes using the command line.  If you've been doing that, I'd reinstall.

    ok, i can do it, because i have used only the webAdmin.
    I have some problems to understand the rest of your post, but i try to proceed step by step.

    When i must pass from automatic nat to manual nat outbound rule?
    1- set wan interface and lan interface + virtual ip
    2- add the opt1 for the logical interface
    3- add vlan3 and match it to a logical interface opt3
    4- change from "automatic outbound nat rule" to "manual outbound nat rule"
    5- set up the vpn ipsec profile
    6- i start to pray
    7- stop to pray and start to blaspheme

    is it right?


  • Netgate

    4.5 edit manual outbound nat rules setting both LAN3 rules to "NAT Address" of ippublic2.