0

i have my setup like this:

Internet -> PfSense -> Privats subnet server

PfSense and Private subnet server are inside a VPC with following IP. PfSense has internet connection. it has an Elastic IP. and a private ip, 10.0.0.20.

Pfsense -> 10.0.0.0/24

private server -> 10.0.2.0/24

Both can ping each other so routing among them is fine. I want to use pfsense as NAT gateway, but on private server, how can i do it? I have setup squid server , but squid is limited, as i want to NAT all traffic from private subnet of 10.0.2.0/24 through pfsense IP.

On private server, i have default gateway as 10.0.2.1 , the gateway should be IP of pfsense, but when i change it, i lose all connectivity to the server (which is obvius).

Any way out of this?

(I dont want to use NAT gateway, but want to use pfsense only, as i want security and want all vpc traffic going through one gateway)

Farhan
  • 4,210
  • 9
  • 47
  • 76

2 Answers2

1

Make sure to disable the source/destination check for the instance acting as the NAT gateway. You can do this from the "Instance Actions" menu. There is a default security setting on EC2 instances to prevent IP/MAC spoofing.

Frank T
  • 11
  • 1
  • but how can i tell mey other subnet machine to use 10.0.0.20 as gateway?, i have disabled the source/dest check. what next? – Farhan Oct 20 '16 at 18:48
  • http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_NAT_Instance.html#EIP_Disable_SrcDestCheck – Frank T Oct 20 '16 at 18:52
  • i dont want to router it from nat instance, but from pfsense. thats the problem – Farhan Oct 20 '16 at 18:53
  • So help understand what you are trying accomplish. Are trying to do the following : Private EC2 <-> Pfsence Firewall <-> Public facing Internet ? – Frank T Oct 20 '16 at 18:56
  • yes, thats what i am trying to do – Farhan Oct 20 '16 at 19:21
  • EEAA answer is correct. – Frank T Oct 20 '16 at 22:31
  • but i have already done it, all i want is how to route traffic for other gateway, other than one one i am using already, as soon as i change gateway, i lose connectivity to server – Farhan Oct 20 '16 at 22:36
0

Examine the pfSense Outbound NAT rules and verify that:

  1. You're using "Manual Outbound NAT"
  2. That the "Source" subnet for your "Auto created rule - LAN to WAN" outbound NAT entry is correct. In most cases I've seen, the Source is set to a /32 netmask, which is obviously incorrect. The source subnet should at the very least match the subnet of your LAN interface.

Due to quirks of how EC2 networking works, the automated NAT rules are often created incorrectly, and require the above manual corrections to work properly. Also, you may need to reboot pfSense entirely after making these changes.

EEAA
  • 108,414
  • 18
  • 172
  • 242
  • already done that, but how to tell my other subnet hosts to route through this gateway? – Farhan Oct 20 '16 at 21:46
  • Add a default route to their subnets' route tables, pointing to the ENI of your pfsense LAN interface. – EEAA Oct 20 '16 at 21:47
  • For other subnets, you'll obviously need to create outbound NAT ACL rules to allow that traffic as well. – EEAA Oct 20 '16 at 21:48
  • could you please give example? as default route is already 10.0.2.1 , as soon as i change default route, i lose all connectivity to server – Farhan Oct 20 '16 at 21:49