Outgoing NAT on OPT1 and OPT2 won't work. I'm stumped.

jmacdonald

Hi.

I'm pretty sure this is a checkbox somewhere that I'm missing or something small. But so far, its cause me some irritation :)

This is on a SG-4860 running 2.3 Release.

WAN interface works fine on a public IP/29
LAN interface works fine on 192.168.0.1/24
OPT1 and OPT2 are on 10.175.170.0/24 and 192.168.99.0/24 respectivly.

Both "don't work" in the same way. I'll just talk about 10.175.170.0/24

• From the PFSense box, I can ping things within 10.175.170.0/24.
• From 10.175.170.10 I can ping everything inside 10.175.170.0/24 except for
    the gateway 10.175.170.1. And of course I can't ping out, like 8.8.8.8.

So far my main suspicion is outbound NAT. I'm using manual outbound NAT as
I have a mail server and its mail has to go out on the right IP address.

I've switched back to automatic to let the proper rules get generated, they were
the same as the ones I had created.

My outbound nat right now looks like this https://i.imgur.com/Qrrh807.png

I'm stumped.

Oh, the one other thing is that I have Pure NAT set for
"NAT Reflection mode for port forwards". But I don't think that's related.

Derelict

I have a mail server and its mail has to go out on the right IP address.

What is the inside address of the mail server? What address do you want it to egress using? Are you talking about only outbound connections or inbound and outbound? What is not working?

Inability to ping 10.175.170.1 from 10.175.170.0/24 would be OPT1 firewall rules, not NAT.

Rhongomiant

What do the rules in OPT1 and OPT2 look like? Do you have any floating rules? If so, what do they look like?

Thanks,

Rhongomiant

jmacdonald

@Derelict:

I have a mail server and its mail has to go out on the right IP address.

What is the inside address of the mail server? What address do you want it to egress using? Are you talking about only outbound connections or inbound and outbound? What is not working?

Inability to ping 10.175.170.1 from 10.175.170.0/24 would be OPT1 firewall rules, not NAT.

The inside address of the mail server is on the 192.168.0.0/24 network. It actually works fine. I only mentioned it to say why I had NAT reflection turned on.

Re being able to ping 10.175.170.1  from inside: I guess I was making too many assumptions. See, from inside 192.168.0.0/24 I can ping 192.168.0.1 and I didn't create any specfic rules to allow that. (But then again maybe the setup wizard does special things for LAN setup that I didn't do to my new interfaces?) (The VPN to that location right now is down so I can't check, and thats not a thing that I have any control over or I'd check)

jmacdonald

Ah ha! I suspect if I was to add some rules here…

https://i.imgur.com/HyZpcMu.png

things would very quickly start working :)

Trying it now. Bazzam. Thanks.

Derelict

The interface LAN created on install has default pass rules. Subsequently-created interfaces have no rules and pass no traffic.

jmacdonald

Thanks for your pointers everyone. Everything is working fine now.