PfSense own internet access in a private IP/WAN+public IP/LAN scenario



  • Hi!

    My scenario is:

    • I have a public network segment (a /26).
    • My provider gives me a transport network (/30) where they are the gateway (10.a.b.1) and my pfSense WAN is 10.a.b.2)
    • I set NAT to AON
    • I set the LAN interface to the first public IP of my network segment

    All hosts from LAN have a public IP and uses pfSense's public IP as gateway. They have internet connection and thats all OK!!

    The problem is that pfSense itself can't find internet connection because it tries to connect directly to its gateway (10.a.b.1). How can I tell pfSense that it has to use its LAN IP (public one) as a SRC-IP so the gateway will let it pass transit to internet? If not, evidently my provider gateway won't pass any transit if SRC-IP is a 10.a.b.c).

    Thanks!!!


  • LAYER 8 Netgate

    ISPs sure do some wacky stuff. Have you asked for a public /30 for your WAN interface instead of that 10.x.x.x RFC1918 nonsense?

    I know if you split your /26 into two /27s, using one /27 (or a subnet of it) for VIPs on WAN and the other /27 on your LAN interface it would work. You would tell outbound NAT to translate all traffic originated on the firewall to one of the WAN VIPs.

    What I do not know is if you can assign the /26 to a LAN interface and, at the same time, use one or two addresses out of it as VIPs on WAN. I don't believe so. Anyone? I don't have time to lab it right now. The following leads me to think even more strongly that you cannot put them on WAN if it's routed:

    IP Alias VIPs: Can be bound to localhost on version 2.1 or later for binding services in routed subnets. IP Alias VIPs bound to localhost will synchronize via XMLRPC

    From https://doc.pfsense.org/index.php/What_are_Virtual_IP_Addresses

    The real answer is for them to route your /26 to a public /30. A workable second would be for them to NAT the 10. interface address somewhere so it would have outbound access.



  • Hi Derelict!

    Thanks for your answer.

    They say this is their usual way, with that /30 transport networks between routers…

    In fact, in Diagnostics -> Ping, pfSense can reach the internet if I select LAN as source address!

    If I leave default, it can not reach.

    So.. can we "force" that? So pfSense always use its LAN source address to connect the internet (for updates, etc).

    I must say that except this "small" fact (I only want that pfSense has internet access for its updates, packages, etc) the network is working pretty fine with this "weird" scenario.

    Thanks,


  • LAYER 8 Global Moderator

    so they gave you a rfc1918 transit.. Yeah that is wacky if you ask me..



  • Yes!

    It's weird but not impossible!

    Their core router has a static route that says "everything coming to 84.b.c.d/26 goes to 10.1.1.1/30", where 10.1.1.1 is the default gateway WAN of my pfSense.

    And my pfSense WAN address is 10.1.1.2/30.

    In LAN, pfSense has first IP from the public range. And servers have that IP as def.gateway. And NAT turned off. And works :)

    Thanks,



  • Hi,

    I think I've found the solution!!

    Adding an Outbound NAT rule:

    Do not NAT: Disabled
    Interface: WAN
    Source. Itself
    Dest: any
    Translation: Other Subnet: 84.b.c.d/32 (its public IP)

    And it works… :)

    Thanks,


  • LAYER 8 Netgate

    So you didn't enter a VIP in Firewall > Virtual IPs you just selected other and entered it there?

    Learn something new every day. Didn't know you could just enter an arbitrary address there. Good to know.



  • @Derelict:

    So you didn't enter a VIP in Firewall > Virtual IPs you just selected other and entered it there?

    Learn something new every day. Didn't know you could just enter an arbitrary address there. Good to know.

    Yes, that's it. Hard to explain… because it expects a network and I entered an IP (/32)...

    Packets matching this rule will be mapped to the IP address given here.
    To apply this rule to a different IP address than the IP address of the interface chosen above, select it here (Virtual IP addresses need to be defined on the interface first)

    Regards!


Log in to reply