Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    1:1 NAT with Ubiquiti Restricted Guest Wifi

    NAT
    2
    3
    841
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jeffhammett last edited by

      I have a Ubiquiti Wireless Access Point where I have enabled a guest wifi network on it's own VLAN. I have the Ubiquiti Guest network feature enabled which adds ACLs to prevent clients from talking to any internal IP ranges.

      I've built the VLAN on the pfSense and everything is working just fine, the wireless guest clients get internet access but can't connect to any internal IPs.

      I now want to have those guest wireless devices use a different WAN IP than the rest of my networks. I have a VIP configured and have configured the 1:1 NAT for the Guest Wifi net using the IP of the VIP I want to use.

      When I do so the wireless clients lose all internet access.

      The client IP is 192.168.201.22
      The VIP I am using is 172.120.90.124

      In the state table I see:

      172.120.90.22:53155 (192.168.201.22:53155) -> 208.67.220.220:53

      Which looks to me like it is trying to use the wrong WAN IP.

      I have deleted and recreated the 1:1 NAT rule as well as deleted and recreated with a different VIP, both do the same thing.

      I don't see any entries in the firewall log for this traffic.

      I thought about disabling the Ubiquiti Guest network ACLs and relying on the pfSense firewall, but I would prefer to prevent cross talk between clients on the guest wifi.

      1 Reply Last reply Reply Quote 0
      • Derelict
        Derelict LAYER 8 Netgate last edited by

        Why are you messing around with 1:1 NAT? Just create an outbound NAT rule that uses the proper VIP based on the source addresses of the traffic.

        Chattanooga, Tennessee, USA
        The pfSense Book is free of charge!
        DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • J
          jeffhammett last edited by

          @Derelict:

          Why are you messing around with 1:1 NAT? Just create an outbound NAT rule that uses the proper VIP based on the source addresses of the traffic.

          Duh… thanks. That worked perfectly.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post