Hi again, I've tested this also. No success.
I can put anything into the first outgoing NAT rule for my 192.168.10.197 host, it simply is ignored altogether and packets from this host are routed directly out to the Internet via the local pfSense box. How come such a basic problem is this so massively difficult?: My understanding is that all hosts on the local LAN are getting a default gateway set by my local pfsense (2.0.1 btw) box vian DHCP. Traffic going anywhere is therefore first routed to the local pfsense box. This actually works as expected. But onwards from the pfsense box, I would expect that any packet travelling anywhere is first matched against the outbound NAT rules table. If there's an entry that matches a packet, then I would expect the pfsense box to apply whatever this rule says. But in my case, it simply does not. I would really, really like to understand why this happens. Can anyone here explain this behaviour to me? Please...! I'm seriously losing sleep over this issue. Is there any way of debugging what happens on the pfSense box? To answer an earlier question: automatic rules generation is turned off. Nadine -------- Original-Nachricht -------- > Datum: Fri, 06 Apr 2012 19:06:19 +0200 > Von: Klaus Wunder <[email protected]> > An: pfSense support and discussion <[email protected]> > Betreff: Re: [pfSense] Several sites: How to route Internet-bound traffic > of a host at site A through site B > Hi, > I think the IP in the NAT rule should be the IP of the Firewall of Site B. > You can make a rule in the accesslist to deny the ip 192.168.10.197 to use > internet from Site B. > > Kind Regards > > Klaus > > Nadine Schlüter <[email protected]> schrieb: > > >Hi, > > > >the network at site A is 192.168.10.0/24. H is 192.168.10.197. > > > >Site B's network is 192.168.0.0/24. > > > >The tunnel (TUN1) between the two is > > > ><Site A> <-10.0.9.2--- tunnel ---10.0.9.1-> <Site B> > > > >The NAT rule (first in my NAT list) is: > > > >Interface: TUN1 > >Protocol: any > >Source: Network 192.168.10.197/32 > > Port <empty> > >Destination: <all empty> > >Translation: Interface address (so the IP should be 10.0.9.2) > > Port: <empty> > > > >Looks like this in the list (top two entries) > > > >Interface: TUN1 > >Source: 192.168.10.197/32 > >Source Port: * > >Destination: * > >Destination Port * > >NAT Address: * > >NAT Port * > >Static Port No > >Description Translate smack's traffic to TUN1 IP > > > > > >Interface: WAN > >Source: 192.168.10.0/24 > >Source Port: * > >Destination: * > >Destination Port * > >NAT Address: * > >NAT Port * > >Static Port No > >Description Translate 192.168.10.x to WAN IP > > > >To me it seems the new (first rule) is completely ignored and rule 2 is > used. > > > >Cheers, > >Nadine > > > >-------- Original-Nachricht -------- > >> Datum: Fri, 6 Apr 2012 17:58:49 +0200 > >> Von: Klaus Wunder <[email protected]> > >> An: pfSense support and discussion <[email protected]> > >> Betreff: Re: [pfSense] Several sites: How to route Internet-bound > traffic of a host at site A through site B > > > >> Hi, > >> > >> what is you translation address in the NAT rule? The Interface Address > of > >> Firewall B? > >> Have you disabled Automatic NAT rule generation? > >> > >> Kind Regards > >> > >> Klaus Wunder > >> > >> > >> Von meinem iPhone gesendet > >> > >> Am 06.04.2012 um 17:30 schrieb "Nadine Schlüter" > >> <[email protected]>: > >> > >> > Hi, > >> > > >> > I'm running several pfSense ALIX Boxes at different locations. Each > box > >> > has a direct Internet connection (WAN) and runs OpenVPN Tunnels to > other > >> > sites. Works all fine. > >> > > >> > Now I want to route all Internet-bound traffic of one (and only one!) > >> > host H from site A through site B's pfSense box to the Internet. Is > >> > there a way to do this? > >> > > >> > I tried setting up a special outbound NAT rule for H at site A's > >> > pfSense box, which essentially is <H's IP>/32 -> <Tunnel to site B > >> > Interface IP>. But this did not have any effect. > >> > > >> > Of course there is another NAT rule already in place that translates > >> > anything from site A's private network to the local WAN address. > >> > However, I put the special NAT rule for H as the first in the NAT > rule > >> > list, hoping that it matches first and will therefore be preferred. > >> > However, if I traceroute from H to a machine outside (say 8.8.8.8) I > can > >> > still see the traffic going out through site A's WAN interface - > never > >> > getting into any tunnel. > >> > > >> > The tricky bit is that host H's traffic is for the Internet. I can > >> > reach hosts at other sites without problems (static routes and tunnel > >> > NATs is place). > >> > > >> > Has anyone here done this before? I would greatly appreciate some > >> > advice on this... > >> > > >> > Cheers, > >> > Nadine > >> > -- > >> > NEU: FreePhone 3-fach-Flat mit kostenlosem Smartphone! > > >> > >> > Jetzt informieren: http://mobile.1und1.de/?ac=OM.PW.PW003K20328T7073a > >> > _______________________________________________ > >> > List mailing list > >> > [email protected] > >> > http://lists.pfsense.org/mailman/listinfo/list > >> > >> _______________________________________________ > >> List mailing list > >> [email protected] > >> http://lists.pfsense.org/mailman/listinfo/list > > > >-- > >Empfehlen Sie GMX DSL Ihren Freunden und Bekannten und wir > >belohnen Sie mit bis zu 50,- Euro! https://freundschaftswerbung.gmx.de > >_______________________________________________ > >List mailing list > >[email protected] > >http://lists.pfsense.org/mailman/listinfo/list > _______________________________________________ > List mailing list > [email protected] > http://lists.pfsense.org/mailman/listinfo/list -- Empfehlen Sie GMX DSL Ihren Freunden und Bekannten und wir belohnen Sie mit bis zu 50,- Euro! https://freundschaftswerbung.gmx.de _______________________________________________ List mailing list [email protected] http://lists.pfsense.org/mailman/listinfo/list
