Internal IPs cannot reach External IPs on same subnet not issued by pfsense.
-
Hello,
I having a terrible time with nat and internal ips and im hoping for a little help here :).
Every internal IP issued inside of PFSense also has a external IP 1:1 NAT Via CARP IPs
Not everything is IP'd behind PFsense. There are some things that are connected to the same switch that we just issue an ip so the traffic doesnt go through the pfsense box. These external ips are apart of the same /24 that pfsense uses to 1:1 NAT to the internals behind pfsense.
When i MTR an external IP not issued by pfsense i get a no route to host error.
Any ideas how to fix without making the other servers be behind pfsense?
Thanks,
Tom
Example:
Internal PFsense IP to External not Behind Internal:
[root@xxx.xxx.xxx.20/192.168.1.20 ~]# traceroute xxx.xxx.xxx.102
traceroute to xxx.xxx.xxx.102 (xxx.xxx.xxx.102), 30 hops max, 60 byte packets
1 PFSense1-XXXX1-X1.XXXXX.com (192.168.1.1) 0.211 ms 0.181 ms 0.196 ms
2 PFSense1-XXXX1-X1.XXXXX.com (192.168.1.1) 0.301 ms !H 0.289 ms !H 0.276 ms !HExternal NOT PFSENSE to Internal-External CARP-IP:
[root@xxx.xxx.xxx.102/ ~]# traceroute xxx.xxx.xxx.20
traceroute to xxx.xxx.xxx.20 (xxx.xxx.xxx.20), 30 hops max, 60 byte packets
1 PFSense1-XXXX1-X1.XXXXX.com (xxx.xxx.xxx.2) 0.214 ms 0.207 ms 0.202 ms
2 192.168.1.20 (192.168.1.20) 0.409 ms 0.506 ms 0.503 msInternal Pfsense IP to External NAT 1:1 CARP-IP :
[root@xxx.xxx.xxx.20/192.168.1.20 ~]# traceroute xxx.xxx.xxx.24
traceroute to 172.245.127.24 (xxx.xxx.xxx.24), 30 hops max, 60 byte packets
1 PFSense1-XXXX1-X1.XXXXX.com (192.168.1.1) 0.351 ms 0.318 ms 0.305 ms
2 192.168.1.24 (192.168.1.24) 0.947 ms 0.942 ms 0.929 ms -
A.) What are you trying to actually do here?
B.) I can't tell what you're using for internal/external IP ranges here, and your description seems contradictory. Post a network diagram, showing your devices (firewalls, routers, networks, etc) complete with IP ranges.
C.) Provide screen shots (not text) of your firewall rules and NAT rules.
D.) Be specific about your routing, networks and what you're trying to get working. Mind-reading hats are a rarity these days and mine's in the shop for repairs.
-
I am also confused… What are you doing here??
1 PFSense1-XXXX1-X1.XXXXX.com (192.168.1.1) 0.211 ms 0.181 ms 0.196 ms
2 PFSense1-XXXX1-X1.XXXXX.com (192.168.1.1) 0.301 ms !H 0.289 ms !H 0.276 ms !HWhy would you have 2 hops going to the same IP?
Trying to nat reflection is a bad idea.. if you have outside IPs that your natting to inside IPs that is fine.. Why would you try and traceroute to the public IP from inside pfsense or even from pfsense if that IP is directly on pfsense?
With muswellhillbilly here - drawing and full info is very helpful in helping you do what ever it is your wanting to do.
