Cannot get Public IP on LAN to connect without NAT



  • Hi All,

    I have 2 public IP subnets and I can't get pfsense to work the way I want to with them.  My goal is simply to disable NAT for the LAN side computers.  What everything I've seen says should work is to select Manual Outbound NAT rule generation (AON - Advanced Outbound NAT) and delete all the rules that come up, but when I do that I don't have Internet on any computers on the LAN side.  It works perfectly fine with Automatic NAT enabled, but then I of course have NAT enabled which is not desired.  I also made sure that I have firewall rules to allow all traffic on both the WAN and LAN interfaces.  Lastly I tried disabling the firewall/NAT altogether in System > Advanced > Firewall/NAT, but that didn't work either.

    The weird thing to me is that when I check the firewall logs, there doesn't seem to be any traffic coming from the computer I am testing with (and making configuration changes with) to the firewall at all.  I am able to ping google with the LAN port of pfsense, but not with any devices on the LAN, even though the LAN devices can contact the router.  I'm hoping someone can give me some insight into what could possibly be going on because I've been at this for a couple of weeks now and nothing seems to be working.


  • LAYER 8 Netgate

    Are you sure the LAN subnet is routed to the proper IP address on your WAN interface by the ISP?

    Rules on WAN have nothing to do with connections originated by your LAN hosts.

    And, yes, you would switch to Manual Outbound NAT and delete (or disable) all the rules with a source of the subnet with the public IP network. That would disable NAT on outbound connections.

    For inbound connections you don't use port forwards. You only use firewall rules passing the appropriate traffic to the appropriate destinations.



  • Are you sure the LAN subnet is routed to the proper IP address on your WAN interface by the ISP?

    I'm not 100% positive because I just requested it and haven't gotten it to work, but It works correctly with all other subnets they've done first time.  I did try running a second gateway through another subnet that is currently in production, and it did not work there either, but I believe that was due to asymmetric routing issues due to some of the traffic issues I was getting.  That said, the "Bypass firewall rules for traffic on the same interface" didn't help the situation there.

    Rules on WAN have nothing to do with connections originated by your LAN hosts.

    Yeah I get that.  Just something I tried after a couple of weeks with no progress

    For inbound connections you don't use port forwards. You only use firewall rules passing the appropriate traffic to the appropriate destinations.

    I haven't done anything with port forwards, and an allow all any proto any address should be good for the rules correct?


  • LAYER 8 Netgate

    @dakoellis:

    Are you sure the LAN subnet is routed to the proper IP address on your WAN interface by the ISP?

    I'm not 100% positive because I just requested it and haven't gotten it to work, but It works correctly with all other subnets they've done first time.  I did try running a second gateway through another subnet that is currently in production, and it did not work there either, but I believe that was due to asymmetric routing issues due to some of the traffic issues I was getting.  That said, the "Bypass firewall rules for traffic on the same interface" didn't help the situation there.

    Rules on WAN have nothing to do with connections originated by your LAN hosts.

    Yeah I get that.  Just something I tried after a couple of weeks with no progress

    You've been futzing with this for weeks and haven't verified the route with the ISP?  I don't get it. Getting clicky clicky with things that make no difference certainly isn't going to help.

    (Is it "just requested" or "a couple weeks")

    For inbound connections you don't use port forwards. You only use firewall rules passing the appropriate traffic to the appropriate destinations.

    I haven't done anything with port forwards, and an allow all any proto any address should be good for the rules correct?

    If that's what you want.  I would "pass any dest LAN subnet" instead. And you need to be sure LAN address is protected lest your webgui, etc be exposed.

    PM the WAN interface address and the routed subnet and I'll traceroute it to see if it looks like it's being routed properly.  (I doubt it is or it looks like it would be working.)



  • OK let me step back a bit.  I have been working on this for a couple of weeks on a subnet that I know is working (and other gateways I've tried work fine with).  I contacted my ISP to get another subnet when I did something that enabled me to see a bunch of the traffic was being blocked due to asymetric routing.


  • LAYER 8 Netgate

    Then fix that I guess.  Nowhere near enough details to help you.



  • @Derelict:

    Then fix that I guess.  Nowhere near enough details to help you.

    I'm currently waiting on a reply from the ISP on verifying the route (this was implemented yesterday) but would the forwarding explain why the router would work with NAT enabled but not disabled?  I'm still fairly new to networking and have learned quite a bit through this process.


  • LAYER 8 Netgate

    If the subnet is not routed to you, yes. NAT would work, no NAT would not.



  • OK you were right, the route wasn't setup correctly :(  Everything is working perfectly now.  Thanks a bunch for your help!


Log in to reply