NAT and multiple subnets via VLAN



  • Hello all,

    I'm currently trying to move from a big single IP space to multiple vlans.
    I've found the following problem:
    pfSense lives in one IP range, say 10.0.0.0/16, there is an IP for a switch that routes the new vlans say 10.0.0.254.
    Now, i have the new vlans:
    10.1.0.0/24, 10.1.1.0/24, etc.
    On each subnet the switch has an interface and static routing set up. I can ping from the 10.1.0.0 to the 10.0.0.0 and back.
    What i can't seem to get is what i have to modify on pfSense's rules to allow it to talk back thru the switch to the subnets. I added a gateway on the LAN interface (not adding it to the groups that handle internet traffic and not adding it to the interface per se otherwise traffic to the internet stops) and added static routes for those subnets, i can ping say 10.1.0.1 from the pfSense and i can access the web gui from a machine in the subnets, but i can't get a ping or tracert to work outside pfSense. It's like pfSense doesn't agree with the request or doesn't see the subnets as LAN…

    Ideas?


  • Netgate

    Set the default route in the switch to 10.0.0.1 (or whatever pfSense's address is)

    Create a gateway for 10.0.0.254
    Create a static route for 10.1.0.0/16 pointing at that gateway.
    Add manual outbound NAT on WAN for 10.1.0.0/16
    Make sure the rules on the pfSense LAN interface pass traffic from 10.1.0.0/16

    The switch shouldn't need much in the way of static routes.  Each VLAN should be a connected interface.



  • Switch already has pfSense as default route (currently in the old range)
    Static rule on pfSense pointing to the local switch address is also there
    I was missing the manual outbound NAT rule, i'd need to work with the hybrid mode and there pops another question:
    How can i make the outbound NAT rule to encompass the current GW Group? i have 3 internet connections (two set at tier1 and one as Tier2). but the outbound NAT rule asks for an interface. Is that interface the origin or the target? I mean, is that the interface to be nat'ed?

    I was under the impression that "automatic" outbound rules tagged anything coming from the LAN interface as LAN to be nat'ed but it would seem it's not that way, right?

    EDIT: i forgot to add that pfSense can ping anything and i can reach pfSense from any subnet (the switch and VLAN side is already ok)

    EDIT2:

    I didn't need to create any outbound rules. just having it in auto mode worked fine. what was blocking my traffic was a rule inside Interfaces : LAN : ipv4 : "LAN net to any", changed it to "any to any" and voila, it works. What should it have been? or better yet, should i revert that change and add a rule for each subnet i want routed?


  • Netgate

    @Raiker:

    Switch already has pfSense as default route (currently in the old range)
    Static rule on pfSense pointing to the local switch address is also there
    I was missing the manual outbound NAT rule, i'd need to work with the hybrid mode and there pops another question:
    How can i make the outbound NAT rule to encompass the current GW Group? i have 3 internet connections (two set at tier1 and one as Tier2). but the outbound NAT rule asks for an interface. Is that interface the origin or the target? I mean, is that the interface to be nat'ed?

    You need NAT rules for all your WAN interfaces.  The NAT rules have nothing to do with which gateway is selected.  They determine how NAT works if that gateway is processing traffic from the specified source addresses.

    I was under the impression that "automatic" outbound rules tagged anything coming from the LAN interface as LAN to be nat'ed but it would seem it's not that way, right?

    Automatic NAT creates rules for connected interfaces.  The subnets on your switch are not connected interfaces.

    EDIT: i forgot to add that pfSense can ping anything and i can reach pfSense from any subnet (the switch and VLAN side is already ok)

    EDIT2:

    I didn't need to create any outbound rules. just having it in auto mode worked fine. what was blocking my traffic was a rule inside Interfaces : LAN : ipv4 : "LAN net to any", changed it to "any to any" and voila, it works. What should it have been? or better yet, should i revert that change and add a rule for each subnet i want routed?

    Source any is probably OK.  Having your rules specify source addresses is a handy way to stop address spoofing right there.  Maybe a rule for LAN net and a rule for 10.1.0.0/16 ??  That'd be another option.



  • Derelict,

    I understand that the rules should be auto-created for connected nets only, but the system auto-created them when i added the original routing (not the NAT outbound, just the routing). i did not need to add them, in fact they live in the same rule as the other automatic rules under the "automatic rules" heading.

    I'll probably shift that back to LANnet and create a rule for each vlan that needs routing, there aren't that many and it gives me better control over which GW group to send them.

    Thanks!


  • Netgate

    Cool.  That must be new in 2.2.  I use manual just about everywhere so I don't see it.