Need help coming from ipCop

  • Hello,
    I have a running system with ipCop 1.4 an need to change to pfSense but I am stuck.
    Can you please have a look at my problem.

    My network:
    WAN connected to the router ( from the isp

    a network from a customer which is tricky. with a server and a router conected to the customer server ( via VPN.
    I can ping and

    In ipCop I have the following interfaces: /24  (Lan) /24  (Wan) /28 (Customer)

    At ipCop I made the following configuration in the rc.local file to make it work:

    # 1.
    ifconfig eth1:0
    # I am not sure if I need this line
    ifconfig eth2:0
    # 2.
    /sbin/iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to-source
    route add -net netmask gw

    In pfSense I assined the IPs the the interfaces.

    em0 /24  = LAN /24
    em2 /28 = customer network 
    em3 /24 = WAN ( / 24)

    For the 1. statement I configured an Virtual IP / 24 on the em2 interface which I can ping.

    I cannot
    a) ping the server
    b) ping the server

    The firewall log doesn't give me a clue.

    Where do I start?

    Thank you

  • do you want to NAT or route towards that customer network? With NAT you don't need (as many) routes on either side of the vpn, but you know, its NAT ;)

    you said the customer network is a VPN, yet you configure a physical interface for it in pfsense ?

  • Hello heper,

    here is my network:

    WAN /24 –---------  pfSense Hardware
                                                                                      |              |
                                                                                      |              |
    LAN1 /24 -------------- pfSense pfSense ----- LAN 2 /24
                                                                                                           server customer
                                                                                                           router customer ----- VPN ----- customer

    The first step for me is to be able to ping the server and the router.
    The second step would be to set up VLAN to reach the server at the customer side through VPN

    I cannot configure the server or router of the customer but I can ask the admin to do stuff.

    Do I have to NAT since the server doens't probably know my LAN 1?
    If yes which NAT kind do I use?
    Is the problem that the uses probably the as default GW?

    Thank you

  • Hello.


    Is the problem that the uses probably the as default GW?

    I think so. I'd prefer to add a route to to direct traffic to /24 to pfSense LAN2. Or add such a route to the customer router, this should resolve both issues.

    If you want to resolve it by NAT add an outbound NAT rule:
    interface: LAN2
    source: any or what meets your needs
    destination: any or
    translation: interface address

    If it's practicable to you to set destination to any in this rule, this should also resolve the access issue to, otherwise add an additional NAT rule for it or use an alias including this two destination addresses.

  • Hello viragomann,

    that was it  :D :D :D :D :D

    Thank you so much.
    It was the NAT


  • Well, fine. But consider, that NAT has a disadvantage: on the destination host you access over NAT you don't see the real source address, accesses always come from pfSense LAN2 address. If this behavior doesn't matter for your purposes, it's be okay. Otherwise routing is the better solution.

  • Hello viragomann,

    how would I route this if every client from has to be able to access the server
    The pfsense interface has the IP

    What is the disadvantage from NAT vs routing?


  • For routing a static route at will be needed for to direct it to
    If you want to access more hosts in the customers subnet you may also add this route on the customers router (if it is the default gateway in its subnet).

    But for accessing over VPN there would be an additional static route necessary on this server, directing to the vpn servers address.

  • Hello viragomann,

    ok I start to understand the procedure.

    Am I right with this:

    since my pfSense ( is not the default GW for the customer Server ( and my LAN is

    NAT works find but with routing don't I have to tell the server how to reach my LAN?

    Can this be done at my pfSense?

    Or has this to be done at the server or the router (default GW) of the net which ist the router of the customer which I cannot access?


  • Hello,

    basically each host in the network communicates with other hosts in it's own subnet directly. But if a host want to address another one in a different subnet or network segment it sends the packets to the default gateway, which has to be defined in the network settings.

    The NAT rule you've added to pfSense translates source addresses of the IP packets to the pfSense LAN2 address, which is a member of same subnet as So response packets from the server are sent back to pfSense LAN2 and pfSense translate its destination address back to its original IP.

    Now, it you don't want NAT you can add add static route to the server to let him know, packets addressed to the subnet have to be directed to So packets to the server retain their original source address when they enter the subnet and the server sends his responses to pfSense LAN2 interface, which forwards it to in the destination subnet.
    It should work also if this static route is added to the default gateway of, cause the host direct packets to this if its destination subnet is unknown and the gateway will redirect it to pfSense. But you can't do this routing at pfSense.

    If there are only few numbers of hosts in each subnet, you can do 1:1 NAT as a workaround on pfSense to differ source addresses on the destination host. But that's dodgy if you don't control both subnets.

  • Hello,

    so I go with NAT because I cannot control the GW in the net.

    Thank you for your help. You saved me quite some time  :D :D


Log in to reply