Not sure of settings to use in NAT? Newbie
-
I want pfsense to do a nat translation for all traffic from our network that is going to the Internet to be translated to 10.5.35.131 (the 10.5.35.131 address if pfSense's WAN address btw). For instance we have a 10.2.0.0 network and am trying to figure how to route that traffic out to the Internet via the 10.5.35.131 address? Down below I have posted what our routes look like, along with a NAT I tried to do,but think is probably wrong. Also initially it was set to automatic outbound NAT rule generation and it made so many and wondering if I should delete some of these?
Thanks for any help given! ???
![pfSense routes.png](/public/imported_attachments/1/pfSense routes.png)
![pfSense routes.png_thumb](/public/imported_attachments/1/pfSense routes.png_thumb)
![pfSense gateways.png](/public/imported_attachments/1/pfSense gateways.png)
![pfSense gateways.png_thumb](/public/imported_attachments/1/pfSense gateways.png_thumb)
![pfSense outbound NAT rule I modified.png](/public/imported_attachments/1/pfSense outbound NAT rule I modified.png)
![pfSense outbound NAT rule I modified.png_thumb](/public/imported_attachments/1/pfSense outbound NAT rule I modified.png_thumb)
![pfSense outbound automatic NAT a.png](/public/imported_attachments/1/pfSense outbound automatic NAT a.png)
![pfSense outbound automatic NAT a.png_thumb](/public/imported_attachments/1/pfSense outbound automatic NAT a.png_thumb) -
Kind of a lot going on there Tigger. Without digging in to deep, let me make the following observations-
Your WAN is private, so I'm assuming you made up the number to obscure your real IP, or there is another device which will NAT to a public.You probably don't need rules NATing on the LAN interface, you probably want them on the WAN.
The destination network in the NAT should be *, not the WAN subnet. It's the destination of the traffic, which is probably the Internet.
You don't normally need static checked.
Try setting NAT back to automatic and see if it works. In most situations it does.
-
Thanks for your input dotdash. I did set it back to automatic. One issue also is that our other routers in our network are using OSPF and at first my pfSense wasn't. Someone told me in order for pfSense to get our internal network out to the Internet we should also do OSPF on pfSense so I did add that, but it isn't showing any neighbors. I looked in our pix which is the LAN gateway of pfSense and it's on a different CIDR - it's on a /29 and pfSense is on a /28 so I think that's another issue. Someone in the group I'm working in said they didn't think it was necessary to run OSPF on pfSense - just to add some static routes, but I tend to disagree. What is your take on all of this? Shouldn't our pfSense VM run OSPF also since our other routers on the network are? :-[
![pfSense automatically created NAT.png](/public/imported_attachments/1/pfSense automatically created NAT.png)
![pfSense automatically created NAT.png_thumb](/public/imported_attachments/1/pfSense automatically created NAT.png_thumb)
![OSPF info in pfSense.png](/public/imported_attachments/1/OSPF info in pfSense.png)
![OSPF info in pfSense.png_thumb](/public/imported_attachments/1/OSPF info in pfSense.png_thumb) -
" Shouldn't our pfSense VM run OSPF also since our other routers on the network are?"
Depends on how exactly and where in your network your trying to implement pfsense.
Why would your "LAN" have a gateway?? Do you have downstream networks from pfsense.. Sure hope you didn't set this as the gateway on your lan interface, and created an actual gateway pointing there for the networks that are behind that you need to get too… That is not how you get to the internet is it?
yeah having a mask of /28 and something your trying to talk to on the same segment with a /29 is going to be wrong for sure..
Why don't you explain how your wanting to use pfsense in your network, and draw up something to go on where its placed in your network.
-
Thanks johnpoz! Here is a pic of our network. Now in this pic where the 192.168.100.0 networks are even though it says /29 there he told me he had carved it out to a /28 and so that is what I put on pfSense, yet on his pix he still has it as a /29. There is also a pic of how in the pix he still has a /29 address.
![Collin's network a.png](/public/imported_attachments/1/Collin's network a.png)
![Collin's network a.png_thumb](/public/imported_attachments/1/Collin's network a.png_thumb)
![Collin's network b.png](/public/imported_attachments/1/Collin's network b.png)
![Collin's network b.png_thumb](/public/imported_attachments/1/Collin's network b.png_thumb)
![Collin's network c.png](/public/imported_attachments/1/Collin's network c.png)
![Collin's network c.png_thumb](/public/imported_attachments/1/Collin's network c.png_thumb)
![CNT 4931 Shows Slash 29 Still in Pix.jpg](/public/imported_attachments/1/CNT 4931 Shows Slash 29 Still in Pix.jpg)
![CNT 4931 Shows Slash 29 Still in Pix.jpg_thumb](/public/imported_attachments/1/CNT 4931 Shows Slash 29 Still in Pix.jpg_thumb)
![2POC_addressing Collin.png](/public/imported_attachments/1/2POC_addressing Collin.png)
![2POC_addressing Collin.png_thumb](/public/imported_attachments/1/2POC_addressing Collin.png_thumb) -
so what is going to be behind your pfsense? that is what you do not show.. Seems like its going to be a new network. Are you going to just nat to the stuff behind pfsense or are you going be actual part of the network. Are you going to have multiple networks behind pfsense.
He gave you a transit network of /28, what is the network your going to have behind pfsense if your not natting? I see like home using a 10.2.11 and branch using 10.3.11 If your not going to nat, and he just gave you 1 /28 to work with then your going to have to NAT.. Unless you have only handful of hosts and you want to run pfsense in transparent bridge mode?
If your going to nat then there is no point in running a routing protocol. To be honest if you only have couple of networks behind pfsense there there is little reason to run ospf in such a small setup that all seems to be controlled. Where routing protocols help is when you have a very dynamic network where new networks might pop up all over and your not really in control of the ip space so there can not be any order to what IP ranges are used where. Because if they were its very easy to manage with a few static routes.
You might want to run a routing protocol if you have more than 1 path to get somewhere, and you could use the route advertisements as a way to know which paths are up, etc..
I don't see anything in that network that says hey routing protocol warranted that is for sure…
But if you want to talk to his pix then yes your masks should really match.. You can get lucky if Ips bleed over depending on the mask sometimes.. But in general yes masks on interfaces connected to each other need to be the same, or your not actually in the same network.
Is he leaving those IPs the same and just changing the mask? If so .96 was his /29 network and sure he can flip that to a /28 if the next /29 was not being used anywhere. If he is on .97/29 and you put in .98/28 that should be able to talk actually. Not correct but it might talk.
If you point pfsense gateway to his .97, and you NAT you should be able to get to where ever you want to go in that network that your allowed. Its possible he hasn't let you anywhere yet with firewall rules on his pix? If he has not even changed the network yet.
Can you ping that .97 address?
-
We are trying to have our entire network route through pfSense out to the Internet. We have several static routes added to pfSense right now. Also I need to use this for web content filtering and monitoring and I'm sure the only way to test if that will work is to have Internet. We also have to be able to go out to this site of 192.168.9.9 which is our professor's server. Attached are the routes we have and btw yes pfSense can ping the pix address of 192.168.100.97, but the other day after the guy made changes in the pix or whatever he did, he could not ping my pfSense box. We have pfSense on a VM inside an ESXi server and also in our network as the previous pics show are some Cisco routers and switches, etc.
![pfSense routes.png](/public/imported_attachments/1/pfSense routes.png)
![pfSense routes.png_thumb](/public/imported_attachments/1/pfSense routes.png_thumb) -
well to be honest pfsense is not in the correct location to use it as your gateway for your whole network.. Where is your connection to the internet? I don't see it on your drawings.
As to pinging pfsense wan IP.. Did you allow that on the pfsense wan rules?
Why would you be creating routes to all those networks to the same place??? For you to get to those networks through him, he has to know how to go there.. So all you need is a default route to him.
If pfsense is going to be the nat device to the public internet that is fine.. But if you don't need to nat inside your own network to talk to other rfc1918 space.. If you have some other device that is your connection to the internet doing nat then yes it would need to send the traffic to services you want to host out to the internet behind pfsense. But you do not need to nat at pfsense to do that.
-
See in the network topology drawing where it says FSCJ Network? That is the nic that would go out toward the Internet and pfSense's WAN address of 10.5.35.131 is pointing out that way.
The LAN address of pfSense which is 192.168.100.98 is pointing out towards where it says Network. Also we were wanting to do a default route out of pfSense's WAN connection, but it doesn't appear to let you do it at least the typical way of 0.0.0.0 0.0.0.0? When I tried to put a route like that in on the drop down there was only 1-128?Btw I don't know if any of this would be helpful to you to understand what I'm trying to do, but this is what our professor gave us to do -
You are to take the design you have come up with for the Temporary Staffing Agency and modify for the equipment available. You are to create a proof of concept showing how you would use that equipment at the main location, branch location, and for a teleworker. Other than the four specific requirements that you were given specifically in the design phase, the project parameters have been specifically and intentionally open so as to allow for freedom of thought and creativity. Be creative and imaginative, but also make sure it works and is secure!
Each station has three connections: cloud, network and remote.
Cloud
IPv4 connectivity
o Your internal networks are yours to design. Document!
o Your interface connecting to the cloud will use
Group 1 192.168.150.22/30
Group 2 192.168.150.26/30
Group 3 192.168.150.30/30
Group 4 192.168.150.34/30
Group 5 192.168.150.38/30o NAT/PAT. Your ‘public’ address will be 192.168.100.X /29. For Group 1 X=80, for Group 2 X=88, for Group 3 X=96, for Group 4 X=104, for Group 5 X=112. I know this is overkill based on the size of the networks.
IPv6 connectivity
o Within your network. Use 2001:0E00:X::/48 where X is your group number.
o To the ISP. Your interface connecting to the ISP will use 2001:0E00:0:X::2 where X is your group number. The ISP’s connecting interface address will be 2001:0E00:0:X::1 where X is your group number.Remote
Team 1 remote user – IPv4 10.0.2.200/30 – IPv6 2001:0E01:0:10::/64
• Router interface:
ip address 10.0.2.201 255.255.255.252
ipv6 address 2001:0E01:0:10::1/64 Link to Team 2 remote user - 10.0.2.204/30 – Ipv6 2001:0E01:0:20::/64
• Router interface:
ip address 10.0.2.205 255.255.255.252
ipv6 address 2001:0E01:0:20::1/64 Link to Team 3 remote user - 10.0.2.208/30 - 2001:0E01:0:30::/64
• Router interface:
ip address 10.0.2.209 255.255.255.252
ipv6 address 2001:0E01:0:30::1/64 Link to Team 4 remote user - 10.0.2.212/30 - 2001:0E01:0:40::/64
• Router interface:
ip address 10.0.2.213 255.255.255.252
ipv6 address 2001:0E01:0:40::1/64 Link to Team 5 remote user - 10.0.2.216/30 - 2001:0E01:0:50::/64
• Router interface:
ip address 10.0.2.217 255.255.255.252
ipv6 address 2001:0E01:0:50::1/64Network
The port labeled ‘Network’ is a direct connection to your groups’ ESXi server. You also have access to that ESXi server via the FSCJ network here at the ATC. Utilize the VMware vSphere client on any desktop here at the ATC. The address to connect is 10.5.35.1X0, where X is your group number. If you wish, you may utilize the next eight (8) addresses internally in your ESXi servers. For example, Group Five’s ip address to connect is 10.5.35.150; and 10.5.35.151 – 10.5.35.158 could be utilized. Usernames are capstoneadmin and see me for each groups password.
Abyss Server
192.168.9.9
We were really wanting a default route to go out of pfSense's WAN address of the 10.5.35.131 to forward our networks out toward the Internet if that makes sense - like our 10.1.0.0, 10.2.0.0, etc. We wanted to point all of our routes out that way to get to the Internet. We wanted just to create I think a static route to the 192.168.9.9 address of his Abyss web server. Plus as far as the NAT goes someone else said that since pfSense has created automatically NAT rules they would leave them alone.
![Showing FSCJ Network and Network to Explain Where pfSense Nic is Pointing.png](/public/imported_attachments/1/Showing FSCJ Network and Network to Explain Where pfSense Nic is Pointing.png)
![Showing FSCJ Network and Network to Explain Where pfSense Nic is Pointing.png_thumb](/public/imported_attachments/1/Showing FSCJ Network and Network to Explain Where pfSense Nic is Pointing.png_thumb)
![CNT 4931 Pinged Pix.png](/public/imported_attachments/1/CNT 4931 Pinged Pix.png)
![CNT 4931 Pinged Pix.png_thumb](/public/imported_attachments/1/CNT 4931 Pinged Pix.png_thumb)
![CNT 4931 Gateways.png](/public/imported_attachments/1/CNT 4931 Gateways.png)
![CNT 4931 Gateways.png_thumb](/public/imported_attachments/1/CNT 4931 Gateways.png_thumb)
![CNT 4931 LAN Interface Settings.png](/public/imported_attachments/1/CNT 4931 LAN Interface Settings.png)
![CNT 4931 LAN Interface Settings.png_thumb](/public/imported_attachments/1/CNT 4931 LAN Interface Settings.png_thumb)
![CNT 4931 WAN Interface Settings.png](/public/imported_attachments/1/CNT 4931 WAN Interface Settings.png)
![CNT 4931 WAN Interface Settings.png_thumb](/public/imported_attachments/1/CNT 4931 WAN Interface Settings.png_thumb) -
this is school work??
"Each station has three connections: cloud, network and remote. "
Who would ever do that?? that is not how anyone in their right might would setup connectivity to anything… Why would you multihome??
dude not going to do your homework for you...
-
Sorry I just am new to pfSense and don't understand some stuff. Thanks anyways.
-
More than happy to answer any questions about pfsense… But you really need to figure out how to do this if that is what your in school for.
What specific questions do you have about pfsense? if you have freedom to design this network how you want... I sure wouldn't do it like you shown in your drawings. KISS is your best friend..
Seems your drawing up your lap as well.. Shouldn't you be designing the network how it would be done in the real world? if this is class work.. what is the connection to this branch office support to be? Normally branch offices, HQ or home office and DC are not all connected via a switch ;) If that is how your going to simulate connectivity fine..
-
I'm sorry to be such a bother and also my issue is that this is group work and not everyone is helping everyone else. Two of the people are caught up in their own stuff and it was not my design, but another person's, so I am stuck. The person who came up with the network should be collaborating with me to get everything working, but too involved in adding other stuff like pix and ASA before making sure can get to Internet. Another group even looked at our stuff and thinks he has made some mistakes and not even sure what he has going on, so has been very difficult for me, especially when he thinks he knows everything. :-[
I need to figure out how to set a default route for one thing and from what I have seen I can't do it the typical Cisco way of 0.0.0.0 0.0.0.0 because under routing it only has a drop down of 1-128? I am just trying to find a way for my networks to go out through pfSense's WAN address of 10.5.35.131? Collin, the guy in our group, was thinking we could do a nat translation for all traffic from our network that is going to the Internet to be translated to 10.5.35.131 (the 10.5.35.131 address if pfSense's WAN address btw). Sorry also for all the extra info about my group and that, but wanted to make you aware of what I'm up against. My part of this is really the web content filtering and monitoring and I have Squid and SquidGuard Proxy set up and feel the settings on that are right, but have to get to the Internet to even test it properly.
I also agree btw with your assessment of not doing it this way because I think Collin has made it way too complicated, but too late to change anything now. I believe he should've made things much simpler. The main thing we were to show was that we could connect to the 192.168.9.9 web server and have connectivity going out.
-
Pfsense sets gateways in the gateway section. Under system routing.
But that should of already been set when you created you wan interface.. By default out of the box its going to nat all outbound traffic whatever its wan IP is..
Why are you using pfsense if you have a pix and or asa? Pfsense would be a replacement for those devices.
-
I agree also with your comment about that pfSense should be a replacement for both of those devices as it is not only a router, but a firewall. I think the guy in the group that is in charge of the actual routers and such did that trying to impress the professor imho. In fact the other day he was talking about taking out the pix and just using the ASA because he felt the 2 of them were causing issues with each other. I chose it myself to do web content filtering and monitoring. Yes currently under System:Gateways there are 2 - one showing WAN and one showing LAN. The WAN is set as default gateway. Under the Firewall:NAT Outbound it did automatically create some rules, but I am not sure really why it created them for WAN and LAN? I would think it should've only created them for the WAN as it is OUTBOUND after all? For instance see in this pic where it has 2 NAT rules created for WAN and 2 for the LAN? I had been wondering if I should maybe delete the LAN ones, but someone told me to leave them be because obviously based on the routes we entered pfSense felt the need to put them there.
![pfSense automatically created NAT.png](/public/imported_attachments/1/pfSense automatically created NAT.png)
![pfSense automatically created NAT.png_thumb](/public/imported_attachments/1/pfSense automatically created NAT.png_thumb) -
Why do you have nats on your LAN?? No you do not need those..
Pfsense most likely did that because you put a gateway on the actual interface in your LAN.. So it thinks its a WAN connection and needs to be natted… that is not how you would set it up...
LAN interfaces (your network) do not get a gateway set on them!! Or pfsense thinks they are wan sort of connections. If you need to get to downstream networks then you would create a gateway in the routing section.
-
You are SO right about that part! Now that I just put none under upstream gateway for pfSense it now shows only WAN rules under the NAT. Thanks so much for that! I don't know why I had it like that. Thanks very much for helping me! I very much appreciate it! I will test some stuff later and let you know!
![Just Shows WAN on NAT Rules Now.png](/public/imported_attachments/1/Just Shows WAN on NAT Rules Now.png)
![Just Shows WAN on NAT Rules Now.png_thumb](/public/imported_attachments/1/Just Shows WAN on NAT Rules Now.png_thumb)