• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

NAT Problem with different Segment

Scheduled Pinned Locked Moved NAT
4 Posts 3 Posters 1.1k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • P
    peruvichito2014
    last edited by Nov 5, 2014, 1:58 PM Nov 5, 2014, 5:21 AM

    Hi Gurus of pfsense
    I have a problem with the configuration of my firewall (pfsense version 2.1.5)
    Let me explain the scenario of my network:
    I have a Switch Core with different VLAN created, for example:
    Vlan 1 172.16.1.1/24
    Vlan 10 172.16.10.1/24
    Vlan 20 172.16.20.1/24
    ….....
    ........
    ........
    Vlan 80 172.16.80.1/24
    exist an interface (GigaEther1/1) that has this IP Address 172.16.9.1/24 and the default gateway of the switch core is 172.16.9.2
    "ip route 0.0.0.0 0.0.0.0 172.16.9.2"

    The core Switch is connected to my firewall using the interface GigaEther1/1

    In my Firewall (pfsense) I configured the LAN Interface with the IP Address 172.16.9.2/24.
    The WAN Interface was configurated wiht the parameters that my ISP gave me, like this WAN IP Address is a.b.c.18/28 and his default gateway is a.b.c.17
    Also I configured an route in System --> Gateway
    Name (LANGW)    Interface(LAN)        Gateway(172.16.9.1)

    Routes
    Destination network (172.16.0.0/16)    Gateway(LANGW)

    The remaining parameters are set to default (NAT,etc)

    The problem is:
    From any host (like for example VLAN 10) 172.16.10.10/24 I Observed that the ICMP not response (From my PC to Firewall) but I can access to WEB configuration (172.16.9.2)
    Another problem is that from any PC of any segment I cant not access to Internet (From My PC I tried a test of ICMP to 8.8.8.8, but  unsuccessfully)

    The Idea is that all computer of my network, Regardless of the segment in which theirs belong, go to internet using the Public IP Address  a.b.c.18/28

    Let me know is it a problem of NAT???, Or what else should I be doing wrong??

    I Appreciate  you suggestion/Comments

    For more practice I attached some diagrams
    Like the network
    IP address of the interfaces
    Routing

    The rest of configured is setting by default

    As I mentioned the problem is that any user of the network can not access to Internet, what would by the problem. You thing that the problem would by the NAT Configuration (setting by default???)

    Network.jpg
    Network.jpg_thumb
    ![LAN Segment.jpg](/public/imported_attachments/1/LAN Segment.jpg)
    ![LAN Segment.jpg_thumb](/public/imported_attachments/1/LAN Segment.jpg_thumb)
    ![WAN Segment and DW Gateway.jpg](/public/imported_attachments/1/WAN Segment and DW Gateway.jpg)
    ![WAN Segment and DW Gateway.jpg_thumb](/public/imported_attachments/1/WAN Segment and DW Gateway.jpg_thumb)
    ![Default Gateway.jpg](/public/imported_attachments/1/Default Gateway.jpg)
    ![Default Gateway.jpg_thumb](/public/imported_attachments/1/Default Gateway.jpg_thumb)
    Route.jpg
    Route.jpg_thumb

    1 Reply Last reply Reply Quote 0
    • M
      m4st3rc1p0
      last edited by Nov 17, 2014, 5:50 PM

      Did you define VLAN in PFSENSE ? IF NOT then please make a set of rule to allow the IP address of the core switch to have internet access in your PFSense.

      ** If you define VLAN in PFsense then you do not need to make a route for 0.0.0.0 0.0.0.0 172.16.19.2.

      PFSense acknowledge only the IP of your core switch not your VLAN IP.

      1 Reply Last reply Reply Quote 0
      • D
        Derelict LAYER 8 Netgate
        last edited by Nov 18, 2014, 5:54 AM Nov 18, 2014, 5:51 AM

        You don't need to add VLANs to pfSense.  They're all on your switch.

        The firewall rules on pfSense LAN probably have to be adjusted to allow traffic from 172.16.0.0/16.  If your source network in your LAN pass rule is any, you don't need to do anything.  If it's LAN net or 172.16.9.0/24, you need to change it to 172.16.0.0/16.  That will allow traffic into LAN from all your subnets, not just LAN net.

        The NAT rules in Firewall->NAT probably have to be adjusted to NAT for 172.16.0.0/16.  You will have to go to outbound, set manual outbound, save, then change the rules from 172.16.9.0/24 to 172.16.0.0/16 so pfSense will NAT all your subnets, not just its LAN net.

        And that should be all you need.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • P
          peruvichito2014
          last edited by Dec 4, 2014, 1:55 PM

          Thanks Derelict!!!!!
          The Changes were:
          NAT Rules - Static configuration from my LAN 172.16.0.016 to my Public IP.
          Rules:
          . If I want to reach any IP from my LAN Network, the firewall must be return the traffic to the switch.
          And also I must be change the LAN from 172.16.9.0/24  to 172.16.0.0/16.

          After these change my network are function correctly!!!!
          Very thanks!!!!!!!!!!

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
            This community forum collects and processes your personal information.
            consent.not_received