WAN 193.1.1.192/24 / gw 193.1.1.193/24(received from TBR500 DHCP server)
LAN 193.1.2.241/28
extra options:
outbound NAT disabled:
|
OPNsense firewall
wan: 193.1.2.254/28 (gw 193.1.2.241)
Inbound everything is working as aspected. I can reach 193.1.2.254 through the 5G connection on the TBR500.
But outbound all my traffic shows 193.1.1.192 as a source IP. While I was expecting it would be 193.1.2.254
I did packet capture on the pfsense WAN interface and I can see that all my outbound traffic is using 193.1.2.254 as a source IP.
If for testing purposes I enable outbound nat on the pfsense I see that my source IP changes to 193.1.1.192
So it looks like the TBR500 is rewriting my source IP.
How can I disable that?
Just so your network configuration is a bit clearer, could you possibly draw a topology of the setup? Please do add the IP addresses and draw what is connected to what for clarity’s sake.
Things you can try while you’re at it:
If your TRB500 mobile interface is already set to the passthrough mode, you should have extra options at the bottom, such as these:
Attempt to enable the Disable DHCPv4 option so it stops assigning internal IPs.
Attempt to specify the MAC address of your pfSense so we’re sure that it receives the WAN IP from the TRB500.
In passthrough mode, the router shares its WAN IP to a single LAN device (first connected to LAN or specified with MAC address). The LAN device will get WAN IP instead of LAN IP. Using Passthrough mode will disable some of the device’s capabilities - Firewall, NAT. But the DHCP and RMS works. Also, you can connect more LAN devices to the free LAN ports. First one will get WAN IP, others will get LAN IPs from the router’s DHCP pool.
My pfsense (second hop) gets the WAN IP from the TRB500 (193.1.1.192/24).
what is strange:
From a server behind the OPNsense I connect to 192.168.2.1 (TRB500). In the logs of the TRB500 I can see that I login from 193.1.2.254 (as expected as im not doing outbound NAT on the pfsense).
But on that same server when I do a online “what’s is my ip” check it will show 193.1.1.192.
Also with TCPdump (mirroring the WAN connection of the Pfsense) I can see that the traffic going from my pfsense to the TRB500 shows 193.1.2.254 as source IP.
This is normal behaviour, since the TRB is in passthrough mode, it “lends” its IP to one LAN device (the first one connected, or a specific MAC). This effectively makes it so your entire setup uses the 193.1.1.192/24 IP address.
pfSense is forwarding packets from your internal network 193.1.2.0/28 with their original source IPs (e.g., 193.1.2.254 from OPNsense). However, the mobile ISP only knows about the single public IP 193.1.1.192. When pfSense sends packets with 193.1.2.x source addresses, those aren’t routable on the ISP’s side. To keep the traffic working, the TRB effectively masquerades (source-NATs) all outbound packets to its assigned WAN IP, 193.1.1.192. That’s why all internet traffic appears to come from that IP.
The IPs that you’ve changed certainly make it a little harder to be correct with the answers I provide, but more or less, in short, the functionality you’re experiencing is expected.
