Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PfSense behond Cisco router, no internet connection

    Scheduled Pinned Locked Moved NAT
    5 Posts 3 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • I
      itatcap
      last edited by

      Hello,

      we have installed a pfSense firewall behind a cisco 2811 router, which also acts as  firewall to our internet connection.
      The pfSense firewall NAT's the IP addresses behind it on its own private LAN.
      The Cisco router also NATs ll traffic behind it, including anything coming from the pfSense firewall.

      i.e.

      Internet – cisco 2811 -- pfsense --internal pfsense private IP

      Public IP of cisco = 203.40.240.2
      private IP of cisco = 192.168.1.1/255.255.254.0

      External interface of pfSense firewall = 192.168.1.10/255.255.254.0
      Private IP of pfSense LAN = 172.16.1.1/255.255.240.0
      Private LAN behind 172.16.0.0/255.255.240.0

      Computers on the internal pfsense private IP range cannot connect to the internet through the pfSense then Cisco.
      It appears that the packets arrive at the cisco router, which does not block any outbound connections. However, we do not see any return packets it seems.

      On the other hand, if we replace the Cisco with a simple Billion ADLS Modem/router (and another internet connection) the internal computers can browse the internet.

      I believe that we must make some change on the cisco to allow this double NAT'ing, although I am not sure.

      Any help would be appreciated.

      itatcap

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        If the LAN clients behind pfSense can ping 192.168.1.1, you'll probably have better luck talking to Cisco folk.

        Happy to do it, but not on this forum.  It's noisy enough as it is.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • I
          itatcap
          last edited by

          thanks, will do that.
          just not sure what cisco forum is best so thought i would try here.
          i might try t turn off NAT on the pfsense's interface and just use static routes on the cisco.

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            How would cisco know its a double nat?

            Traffic from pfsense would all look like it came from 192.168.1.10..

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • I
              itatcap
              last edited by

              thanks for the reply, johnpoz.
              i agree, that is how I think it should work. i.e the cisco would not know about the double NAT'ing.

              oddly, i can get traffic FROM the internet to the network behind the pfsense and return data (i.e. NAT and PAT inwards to the pfsense)
              but not initiate connections from within.

              anyway, we have changed the LAN and WAN interfaces on the pfsense, made some other changes and routing traffic through two different internet connections.
              to be honest, i am surprised the new network topology works but it does.

              on cisco forum, as well, but probably cannot action their suggestions as the unit is in production and i am not keen on changing the system drastically.

              thanks again for the reply.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.