Problems with NAT and Internet access
-
Hi Everyone,
I'm fairly new to pfsense and I could do with some pointers or help.
I have attached a zip filewith my network layout and IP configurations with this post. This is to allow you to understand the complexity of my network. I need help getting an Internet connection through to my clients/hosts on the LAN network. My WAN connects to a Cisco Router who queries an external proxy server(SquidGuard) for Internet.
My LAN has the following networks 10.240.17.0 /24, 10.240.32.0 /24, 10.240.33.0 /24 & 10.240.118.0 /24. I have configured VIP's to serve as gateways for all my LAN networks. I hope that this will not create problems for me because the real gateways are configured on the Cisco router with 10.240.17.1 being the real/main gateway and 10.240.32.1, 10.240.33.1 & 10.240.118.1 all being sub/virtual interfaces configured on the Cisco router.
My LAN rules are to allow all traffic, however, my WAN rules are to only allow HTTP traffic and the proxy traffic through.
My main problem I'm having is how do i get traffic from the LAN to flow through to the WAN then to the Cisco router. The only idea I have is that it somehow relates to NAT. How to use it in my network is what i need to find out and configure.
Could anyone please assist me??????
-
A zip? Really?
-
The jpg didnt want to upload dude.
-
Just attach them. I don't know of any in zip but clicking on that crap is how people get pwnd.
Everyone else attaches images. Figure it out.
No idea what you're trying to do with 10.240.17.0/24 on both sides.
-
You can not run the same network on both your wan and your lan?? This 10.240.17 derelict pointed out already..
And why would you be creating vips for these other networks?? These other networks should be vlans.. You don't run different layer 3 over the same layer 2..
How do you even get to that proxy - its on a different network than you even list on your cisco.
Where exactly are you natting even?? both your other router and your pfsense??
Why would you not just use a transit network to get to this other other from pfsense, and then pfsense can run whatever other networks you need on your network via vlans…
You work for the gov of South Africa??
inetnum: 164.146.0.0 - 164.146.255.255
netname: OPENET1
descr: Government of South Africa -
I'm with the others on this one. Interesting diagram but it makes zero sense. I can't tell where your LAN ends and your WAN begins for one thing. And it looks like your external (Gov't of S.Africa) address is defined as a loopback device!
I'd give this some long, hard thought before reposting your network config (Yes, you will need to repost it if you want any help with this). Indicate clearly where your LAN is located and the address blocks you're using for your LAN and WAN. You can't use the same networks on both.
-
Eish bro…...i wish it was that easy. So your suggestion is to incorporate vlans to pfsense??
-
Wish what was so easy, using vlans on pfsense yes it quite simple.. Piece of cake really, takes all of like 10 seconds to create a vlan..
Sorry dude but its a plain simple fact, you don't just run different layer 3 networks over the same wire by just adding more IP with different masks on the interfaces..
And you sure and the hell do not run the same layer 3 on different sides of router/firewall.. How exactly do you think that is going to work..
edit: See attached… You run your multiple networks to pfsense via vlans, or sure you could use their own physical network switches and interfaces if you want to do it like many dod or gov networks run where vlans are not enough isolation. You then connect pfsense to your upstream router via a transit. You most likely should be natting where your rfc1918 space actually makes transition to public space. So guessing your cisco?
You create routes in the cisco to point pfsense transit network IP as gateway to get to those networks. There you go.. If you have some proxy that hangs off your cisco - ok, your clients could use that if they wanted to..
-
In your opinion…...how would you suggest i use vlans in my network???
-
Our LAN is everything behind the CISCO router.
-
I already gave you a diagram… for how you could use vlans... Without some actual useful drawing I could not really be more specific.
Why are you networks on right side of pfsense not already vlans?? You don't just add IPs to an interface and call it a day.. Sorry but whoever did that should not be getting paid to do networking support.
What switching infrastructure do you have? What is the make and model of your switches?? How many interfaces does pfsense have? You can breakout your networks with or without tagging.. So while you tag the vlans in your network, to pfsense they could be native untagged networks, etc..
I would be more than happy to put a diagram together if had some better understanding of your network than that mess you posted. And again you CAN NOT expect it to work how you have it shown.. You can not put the same network on 2 sides of a router and expect it to route.. if you want to the gateway for your networks to be your cisco - you could do that too, pfsense could be just a transparent firewall, etc..
How you have it drawn is BROKEN!!! You mention you have sub interfaces defined on cisco, are they not vlan tagged already? YOu can not just create sub interfaces on cisco without using vlan.. That is broken setup... When you create the sub interface... lets call ig gi0/0.1 you would put a vlan tag on it with Encapsulation dot1q 10 for example..
-
So per our PMs - Attached is how you could test migration to pfsense and vlans
Your existing network is on the top part, add pfsense to one of your existing switches, pfsense would have an IP from your existing network and would use this as transit. It would then nat to some new network you create behind pfsense, you could even create vlans here.
Then put some test machines behind pfsense and make sure they can use the internet. Once that works you could just move all your stuff to these new networks..
-
Currently I have my test environment setup as in your drawing.
-
And how its it going? Where you dont use the same network on both sides and just let pfsense use its own network behind and nat?
