Outbout NAT At My Limit
-
I'm at my limit of comprehension….
pfSense 2.1 with 3 nics.
1 for WAN, we have 5 public IP's. WAN interface owns one, virtual IP's own the rest.
1 for LAN - 192.168.1.0\24
1 for VLANS - 10.1.2.0\24, 10.1.1.0\24, 10.254.1.0\24The VLANS and LAN have servers behind them and accessing them from outside of the network there are no issues. Accessing them from inside the network (lan to vlan, vlan to lan) yields problems.
As an example: If I access a webserver behind a VLAN from the LAN the reported IP im visiting from is incorrect. I know this (or assume this) is relative to Outbound NAT. With respect to VLANs in outbound NAT I can select the public IP's associated with the VLANS for the translated address, but for the LAN I can only select the subnet.
Our WAN IP block is .249 - .254, 249 is for the provider modem and the rest are our assignable public IP's.
With the Outbound NAT I have tried CIDR 29 - 32 all of which report .248 which is incorrect.
I would like for everything to be correct and I am having a tough time finding information regarding outbound NAT for pfsense even in the book. I have tested, researched, and tested some more. I am stumped.
Any help on this would be super appreciated.
-
Hi Sabyre,
As an example: If I access a webserver behind a VLAN from the LAN the reported IP im visiting from is incorrect. I know this (or assume this) is relative to Outbound NAT. With respect to VLANs in outbound NAT I can select the public IP's associated with the VLANS for the translated address, but for the LAN I can only select the subnet.
Some questions:
1. What is the reported IP? I reckon you want it to be the IP address of the actual client?
2. You have only configured a gateway on the WAN interface right? "IPv4 Upstream Gateway" should be set to "None" on all interfaces except WAN (exceptions do probably exist, but not in this case).
3. Can you take a screenshot of your outbound NAT rules? -
Thanks for the reply.
The reported IP is 24.39.20.248, It needs to be 24.39.20.250. When we connect to this webserver(VLAN) from the LAN it should mask our external IP.
WAN interface is the only with a gateway listed.
Outbound NAT SS posted.
-
I just tested a somewhat similar setup, where I first tried to translate the source address to 192.168.1.2/32, and that worked (source became 192.168.1.2). Afterwards I changed it to 192.168.1.2/24, and then the source address was translated to 192.168.1.0. So looks like you atleast need to use /32 But you have already tested that, not sure why it doesn't work with your setup.
-
I just checked again … if I switch it to a /32 I can't even access the server. times out.
-
It seems the only way around this would be to turn the LAN into a VLAN, which I'm a bit concerned about considering we have a IPsec tunnel setup for the LAN.
-
Just want to make sure I am understanding this correctly….
Looking at the attached pic:
1 = Interface packet is leaving
2 = Packets origin
3 = Packets destination
4 = Mask the identity of the packets origin withPerhaps this can't work over local considering im asking it to mask with an external ip.
-
Anyone?
-
I was hoping someone could at least confirm my logic with that attached picture above.
Perhaps the best thing would be for me to pay for the support and go that route.
-
I was hoping someone could at least confirm my logic with that attached picture above.
Your logic is hereby confirmed :) The picture looks good!
-
Thank you sir! ;D
-
You did clear states after making changes but before testing right?
-
Yes of course.
Issue seems to be; with the vlans I can select the specific public IP, but with the LAN I can only select 'interface address' which would reflect a local, a vlan public which would be incorrect or a specified subnet. Choosing specified subnet 'xxx.xxx.xxx.xxx/32' doesn't work and /29 reflects an ip just below the gateway? .248 whereas the gateway is .249
-
Wait a minute.
You want connections from LAN to VLAN to appear to be coming from 24.39.20.250?
To what interface is that VIP assigned?
-
Yes,
That's just it, it's the only public IP that is not VIP. It is assigned to the WAN
-
I'm not sure how you expect to NAT an address that isn't assigned to either of the interfaces involved in carrying the traffic.
That seems pretty convoluted to me and I'm not surprised it's not behaving as you think it should.
-
Workstation on LAN accesses Webserver on VLAN by way of domain.com, dns call goes out to determine IP of domain.com = 24.111.111.111.
Server should think request is from IP 24.111.111.110 (pub IP of LAN).Perhaps this should be accomplished with a static route?
