PfSense behond Cisco router, no internet connection
-
Hello,
we have installed a pfSense firewall behind a cisco 2811 router, which also acts as firewall to our internet connection.
The pfSense firewall NAT's the IP addresses behind it on its own private LAN.
The Cisco router also NATs ll traffic behind it, including anything coming from the pfSense firewall.i.e.
Internet – cisco 2811 -- pfsense --internal pfsense private IP
Public IP of cisco = 203.40.240.2
private IP of cisco = 192.168.1.1/255.255.254.0External interface of pfSense firewall = 192.168.1.10/255.255.254.0
Private IP of pfSense LAN = 172.16.1.1/255.255.240.0
Private LAN behind 172.16.0.0/255.255.240.0Computers on the internal pfsense private IP range cannot connect to the internet through the pfSense then Cisco.
It appears that the packets arrive at the cisco router, which does not block any outbound connections. However, we do not see any return packets it seems.On the other hand, if we replace the Cisco with a simple Billion ADLS Modem/router (and another internet connection) the internal computers can browse the internet.
I believe that we must make some change on the cisco to allow this double NAT'ing, although I am not sure.
Any help would be appreciated.
itatcap
-
If the LAN clients behind pfSense can ping 192.168.1.1, you'll probably have better luck talking to Cisco folk.
Happy to do it, but not on this forum. It's noisy enough as it is.
-
thanks, will do that.
just not sure what cisco forum is best so thought i would try here.
i might try t turn off NAT on the pfsense's interface and just use static routes on the cisco. -
How would cisco know its a double nat?
Traffic from pfsense would all look like it came from 192.168.1.10..
-
thanks for the reply, johnpoz.
i agree, that is how I think it should work. i.e the cisco would not know about the double NAT'ing.oddly, i can get traffic FROM the internet to the network behind the pfsense and return data (i.e. NAT and PAT inwards to the pfsense)
but not initiate connections from within.anyway, we have changed the LAN and WAN interfaces on the pfsense, made some other changes and routing traffic through two different internet connections.
to be honest, i am surprised the new network topology works but it does.on cisco forum, as well, but probably cannot action their suggestions as the unit is in production and i am not keen on changing the system drastically.
thanks again for the reply.