NAT Problem with different Segment
peruvichito2014 last edited by
Hi Gurus of pfsense
I have a problem with the configuration of my firewall (pfsense version 2.1.5)
Let me explain the scenario of my network:
I have a Switch Core with different VLAN created, for example:
Vlan 1 172.16.1.1/24
Vlan 10 172.16.10.1/24
Vlan 20 172.16.20.1/24
Vlan 80 172.16.80.1/24
exist an interface (GigaEther1/1) that has this IP Address 172.16.9.1/24 and the default gateway of the switch core is 172.16.9.2
"ip route 0.0.0.0 0.0.0.0 172.16.9.2"
The core Switch is connected to my firewall using the interface GigaEther1/1
In my Firewall (pfsense) I configured the LAN Interface with the IP Address 172.16.9.2/24.
The WAN Interface was configurated wiht the parameters that my ISP gave me, like this WAN IP Address is a.b.c.18/28 and his default gateway is a.b.c.17
Also I configured an route in System --> Gateway
Name (LANGW) Interface(LAN) Gateway(172.16.9.1)
Destination network (172.16.0.0/16) Gateway(LANGW)
The remaining parameters are set to default (NAT,etc)
The problem is:
From any host (like for example VLAN 10) 172.16.10.10/24 I Observed that the ICMP not response (From my PC to Firewall) but I can access to WEB configuration (172.16.9.2)
Another problem is that from any PC of any segment I cant not access to Internet (From My PC I tried a test of ICMP to 126.96.36.199, but unsuccessfully)
The Idea is that all computer of my network, Regardless of the segment in which theirs belong, go to internet using the Public IP Address a.b.c.18/28
Let me know is it a problem of NAT???, Or what else should I be doing wrong??
I Appreciate you suggestion/Comments
For more practice I attached some diagrams
Like the network
IP address of the interfaces
The rest of configured is setting by default
As I mentioned the problem is that any user of the network can not access to Internet, what would by the problem. You thing that the problem would by the NAT Configuration (setting by default???)
![LAN Segment.jpg](/public/imported_attachments/1/LAN Segment.jpg)
![LAN Segment.jpg_thumb](/public/imported_attachments/1/LAN Segment.jpg_thumb)
![WAN Segment and DW Gateway.jpg](/public/imported_attachments/1/WAN Segment and DW Gateway.jpg)
![WAN Segment and DW Gateway.jpg_thumb](/public/imported_attachments/1/WAN Segment and DW Gateway.jpg_thumb)
![Default Gateway.jpg](/public/imported_attachments/1/Default Gateway.jpg)
![Default Gateway.jpg_thumb](/public/imported_attachments/1/Default Gateway.jpg_thumb)
m4st3rc1p0 last edited by
Did you define VLAN in PFSENSE ? IF NOT then please make a set of rule to allow the IP address of the core switch to have internet access in your PFSense.
** If you define VLAN in PFsense then you do not need to make a route for 0.0.0.0 0.0.0.0 172.16.19.2.
PFSense acknowledge only the IP of your core switch not your VLAN IP.
You don't need to add VLANs to pfSense. They're all on your switch.
The firewall rules on pfSense LAN probably have to be adjusted to allow traffic from 172.16.0.0/16. If your source network in your LAN pass rule is any, you don't need to do anything. If it's LAN net or 172.16.9.0/24, you need to change it to 172.16.0.0/16. That will allow traffic into LAN from all your subnets, not just LAN net.
The NAT rules in Firewall->NAT probably have to be adjusted to NAT for 172.16.0.0/16. You will have to go to outbound, set manual outbound, save, then change the rules from 172.16.9.0/24 to 172.16.0.0/16 so pfSense will NAT all your subnets, not just its LAN net.
And that should be all you need.
peruvichito2014 last edited by
The Changes were:
NAT Rules - Static configuration from my LAN 172.16.0.016 to my Public IP.
. If I want to reach any IP from my LAN Network, the firewall must be return the traffic to the switch.
And also I must be change the LAN from 172.16.9.0/24 to 172.16.0.0/16.
After these change my network are function correctly!!!!