Routing or nat issue



  • We recently installed a pfSense into our home network to test as a firewall.  Our basic design is a Cisco 3550 layer 3 switch which owns the routing for 10.10.2.x/24, 10.10.3.x/24 and 10.10.4.x/24 networks (these are more detailed on the attached visio diagram).

    We have configured the Rip routing service on the pfSense box and the switch so that both systems know about the routing.  The pfSense LAN segment is configured in the 10.10.2.x network (temporarily so that we may have internet access) and any user in the 10.10.2.x segment is allowed outside the network.  However, users in the 10.10.3.x or 10.10.4.x networks are unable to access the internet.  They are able to ping the pfSense's lan interface (10.10.2.100), but are unable to get past that point.

    Furthermore, sourcing a ping from the pfSense's WAN interface to the 10.10.3.x/24 subnet returns a successful reply.  So things are coming back into the network just fine, but they are not leaving it properly.

    I think this might be a NAT or firewall issue not allowing those other networks outside.  The pfSense's routing table does see the 10.10.3.x and 10.10.4.x networks but they are unable to access anything outside of the LAN.

    If anyone has any idea how to make this work in this situation I would greatly appreciate the help.  The reason we have the layer 3 switch is so that we don't have to do dot1q trunking in a "router on a stick" sort of design.  As I stated earlier I am attaching a diagram of how our network is designed/cabled.  Thanks for everyone's help!

    -Mark
    ![home network.JPG](/public/imported_attachments/1/home network.JPG)
    ![home network.JPG_thumb](/public/imported_attachments/1/home network.JPG_thumb)



  • I think you need to set up advanced outbound nat for 10.10.2.x/24, 10.10.3.x/24 and 10.10.4.x/24 nets, pfSense by default NATs only the LAN-type networks directly connected to it.



  • I have made the changes that you suggested in your reply and unfortunately devices in the 10.10.3.x and 10.10.4.x subnet still can not reach the internet.  Devices in the 10.10.2.x network can reach the Internet just fine.  Please see attached screenshot of outbound NAT configuration below.  Thanks for your reply.

    ![outbound nat.jpg](/public/imported_attachments/1/outbound nat.jpg)
    ![outbound nat.jpg_thumb](/public/imported_attachments/1/outbound nat.jpg_thumb)



  • I have fixed the issue.  In case anyone else is ever curious about setting up my solution you also need to add firewall rules to permit traffic from your other networks to pass through.  Thanks for everyone's suggestions on this!

    -Mark

    ![firewall rules.jpg](/public/imported_attachments/1/firewall rules.jpg)
    ![firewall rules.jpg_thumb](/public/imported_attachments/1/firewall rules.jpg_thumb)


Log in to reply