pfsense 2.1 I have internal subnets in the 10.0.0.0/14 address space and also a public subnet x.x.x.240/28 that is routed statically to pfsense's WAN address. pfsense sits at the edge of the network and I have another router whose only internet access is through pfsense. The x.x.x.240/28 public subnet is behind this second router, so pfsense has a static route to that network through the other router. So the network looks like this:
Internet | pfsense | (OPT1--10.0.0.18/30) | router (WAN--10.0.0.17/30, gw--10.0.0.18) | (LAN--x.x.x.254/28) pfsense's first outbound NAT rule translates source 10.0.0.0/14 to the WAN IP address. The second router does no NAT. When I do a packet dump on pfsense's WAN, I see packets like this: tcpdump -n -i pppoe0 net 10.0.0.0/8 09:31:19.923384 IP 10.0.0.17 > 182.150.115.24: ICMP host x.x.x.246 unreachable, length 68 09:32:10.850594 IP 10.0.0.17 > 93.174.93.67: ICMP host x.x.x.250 unreachable, length 48 The addresses x.x.x.250 and x.x.x.246 are not currently in use on this network, although they belong to me, so my interpretation is that the internal router is correctly responding to attempts by outside hosts to connect to those addresses. What I don't understand is why pfsense is passing those packets onto the WAN with the 10.0.0.17 source IP address unaltered. Shouldn't the outbound NAT rule act on these? Am I not breaking RFC1918 by sending these packets onto the internet? Is there a better way to handle this situation? db _______________________________________________ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
