+ Post New Thread
Results 1 to 10 of 10
Internet Related/Filtering/Firewall Thread, pfSense Confusion in Technical; Hello everyone, I am currently trialling pfSense on our school network, however, I have an issue that I can't get ...
  1. #1

    Join Date
    Jan 2012
    Posts
    108
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    0

    pfSense Confusion

    Hello everyone,

    I am currently trialling pfSense on our school network, however, I have an issue that I can't get my head around and was just wondering if anyone out there has any ideas. Here is the setup:

    10.10.10.0/21 ---> pfSense ---> 10.208.208.0/21 ---> LEA Router

    I am currently unable to access the internet on the 10.10.10.0/21 network as I need to have NAT implemented due to the fact that the LEA Router does not know that the 10.10.10.0/21 network exists and we can't change the LEA Router to have a route to 10.10.10.0/21.

    Therefore, how would I setup NAT on the pfSense box so that everything behind it (in 10.10.10.0/21) has access to the internet?

    Many thanks.

    J.Worth

  2. #2

    Join Date
    Nov 2012
    Location
    Surrey
    Posts
    61
    Thank Post
    4
    Thanked 8 Times in 8 Posts
    Rep Power
    5
    Have you configured the firewall rules to use the right gateway?

  3. #3

    Join Date
    Jan 2012
    Posts
    108
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    0
    Sorry, my initial post was not that clear - I haven't yet managed to implement NAT as I am not sure how to go about doing this. I would like to have the following:

    WAN interface: 10.208.208.20
    WAN Virtual IP: 10.208.208.25 - This will be a web server running on the 10.10.10.0 network and LEA have opened a port to 10.208.208.25 (so requests for 10.208.208.25 will need to be forwarded to 10.10.10.10
    WAN Virtual IP: 10.208.208.100 - This will be used for NAT

    Quote Originally Posted by Sibrows View Post
    Have you configured the firewall rules to use the right gateway?
    So after I have configured I can then do an "any to any" rule to allow the 10.10.10.0/21 network internet access using NAT?
    Last edited by J_Worth; 26th February 2014 at 12:45 PM.

  4. #4

    Join Date
    Nov 2012
    Location
    Surrey
    Posts
    61
    Thank Post
    4
    Thanked 8 Times in 8 Posts
    Rep Power
    5
    Ok so how far have you got with the configuration thus far?
    Have you defined you Interfaces?


    Quote Originally Posted by J_Worth View Post
    WAN Virtual IP: 10.208.208.25 - This will be a web server running on the 10.10.10.0 network and LEA have opened a port to 10.208.208.25 (so requests for 10.208.208.25 will need to be forwarded to 10.10.10.10
    WAN Virtual IP: 10.208.208.100 - This will be used for NAT
    Both of these can be created as 'Virtual IPs' within the 'Firewall' section and then under the 'NAT: Port Forward' options you can define the Destination address (10.208.208.25) to point to the NAT IP 10.10.10.10 if you leave the box ticked pfsense will also put in the correct firewall rules.

    Quote Originally Posted by J_Worth View Post
    So after I have configured I can then do an "any to any" rule to allow the 10.10.10.0/21 network internet access using NAT?
    In short - Yes. We're multiple WAN connections here so I'm not 100% sure if you would need to define the gateway I'm just aware that I had to.




    I'm not sure that I understand what your trying to achieve

  5. #5

    Join Date
    Jan 2012
    Posts
    108
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    0
    Quote Originally Posted by Sibrows View Post
    Ok so how far have you got with the configuration thus far?
    Have you defined you Interfaces?
    I have defined the interfaces and have set one of them as the LAN interface and the other as the WAN.

    LAN interface: 10.10.10.1
    WAN interface: 10.208.208.20

    I'm not sure what kind of NAT I need to allow all the hosts in the 10.10.10.0/21 network access to the internet. Is that Outbound NAT which is automatically done as default.

    Quote Originally Posted by Sibrows View Post
    I'm not sure that I understand what your trying to achieve
    The LEA have given us a range of 10.208.208.0/21 and this is not big enough for us, as we want to VLAN and implement BYOD at some point. So we have decided to put a pfSense box in place so that we can use whatever range we want without it having any effect on the LEA. We want it so that, we have a huge amount of IP addresses available for us to use and everything going out to the internet is NAT'd through the pfSense box. And NAT is required as we have no routes to the 10.10.10.0/21 network on the LEA managed router.

    Secondly, we currently have two internet facing servers and the LEA has given us a public IP address that forwards to: 10.208.208.50 and 10.208.208.51 respectively. We want to bring these in behind the pfSense box so anything coming into 10.208.208.50, gets forwarded to any IP address the other side of the pfSense.

    I have only specified one VLAN (10.10.10.0/21) as the example.

    I hope that makes things a little bit clearer.

  6. #6

    Join Date
    Nov 2012
    Location
    Surrey
    Posts
    61
    Thank Post
    4
    Thanked 8 Times in 8 Posts
    Rep Power
    5
    Quote Originally Posted by sibrows
    I'm not sure that I understand what your trying to achieve
    Sorry I meant to remove that

    Quote Originally Posted by J_Worth;
    The LEA have given us a range of 10.208.208.0/21 and this is not big enough for us, as we want to VLAN and implement BYOD at some point. So we have decided to put a pfSense box in place so that we can use whatever range we want without it having any effect on the LEA. We want it so that, we have a huge amount of IP addresses available for us to use and everything going out to the internet is NAT'd through the pfSense box. And NAT is required as we have no routes to the 10.10.10.0/21 network on the LEA managed router.
    That was originally our requirements we now also use the captive portal features combined with a separate SSID within the wireless system so staff can connect their phones etc to the wifi.

    Quote Originally Posted by J_Worth;
    I'm not sure what kind of NAT I need to allow all the hosts in the 10.10.10.0/21 network access to the internet. Is that Outbound NAT which is automatically done as default.
    All I need to do to get this working was a firewall rule (on the internal interface) allowing all traffic (initially) to pass through the firewall using a specified gateway. (as I explained earlier we are using multiple WAN connections).

  7. #7

    Join Date
    Jan 2012
    Posts
    108
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    0
    No worries. Thank you for your help anyway, I'm sure I'll get it sorted. It'll be something simple and I'm making it sound over complicated (it's not!).

  8. #8
    ChrisH's Avatar
    Join Date
    Jun 2005
    Location
    East Lancs
    Posts
    4,996
    Thank Post
    120
    Thanked 280 Times in 258 Posts
    Rep Power
    106
    You want Firewall > Nat > Outbound to set up NAT and to publish your servers you use 1:1 NAT and then allow the ports on the WAN interface of the firewall.

  9. #9

    Join Date
    Jan 2012
    Posts
    108
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    0
    I found the issue - I stuffed up the Default Gateway IP address on my test client.

  10. #10

    Join Date
    Jan 2012
    Posts
    108
    Thank Post
    0
    Thanked 1 Time in 1 Post
    Rep Power
    0
    Quote Originally Posted by ChrisH View Post
    You want Firewall > Nat > Outbound to set up NAT and to publish your servers you use 1:1 NAT and then allow the ports on the WAN interface of the firewall.
    Thanks. That's cleared all my questions up.

SHARE:
+ Post New Thread

Similar Threads

  1. Is this AUP too confusing for parents/staff?
    By _Bat_ in forum School ICT Policies
    Replies: 18
    Last Post: 13th August 2007, 03:17 PM
  2. DC Confusion
    By Grommit in forum Windows
    Replies: 15
    Last Post: 20th February 2007, 07:24 PM
  3. Microsoft Volume Licencing. Confused!!
    By ranj in forum Windows
    Replies: 8
    Last Post: 22nd January 2007, 09:02 PM
  4. DHCP confusion
    By Gatt in forum Wireless Networks
    Replies: 5
    Last Post: 31st March 2006, 08:24 AM
  5. DNS problems that are confusing.
    By tosca925 in forum Windows
    Replies: 13
    Last Post: 9th February 2006, 10:45 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •