NAT setup for mixed traffic (with and without NAT)

wpa

Hi all,

I am testing Home+Lab in GNS3 with such setup:

Internal interface 1 10.1.1.1/24
Internal interface 2 10.2.2.1/24
Internal interface 3 198.51.100.129/25
External interface 203.0.113.1/30

Is it possible to setup NAT translation for IP addresses from interface 1 to one fixed IP address (or IP range), from interface 2 to second fixed IP address (or other IP range) and forward traffic from interface 3 without translation?

NAT translation 10.1.1.0/24 -> 198.51.100.1
NAT translation 10.2.2.0/24 -> 198.51.100.2
No NAT translation for 198.51.100.129/25

I already tried this guide
https://docs.netgate.com/tnsr/en/latest/nat/outbound.html

But I don't understand how to match particular IP addresses to different internal subnets?
There are different NAT modes mentioned in docs, which mode is suitable for this?

wpa

Also I want to test setup with more than one external interface.
Is it possible to setup IP address for NAT translations depending on the outgoing interface?

viragomann

@wpa
Not clear why you want to translate the addresses at all.
But yes, you can translate it to whatever IP you want. However it's only meaningful to translate the source into an address which is routed back by the destination devices to the respective interface, otherwise responses won't come back to the interface and communication will fail.

But I don't understand how to match particular IP addresses to different internal subnets?

You can select 'other' at translation and enter your desired IP below with a /32 mask.

Also I want to test setup with more than one external interface.
Is it possible to setup IP address for NAT translations depending on the outgoing interface?

Yes, that is the default behavior on WAN interfaces.

wpa

@viragomann Private IP 10.x.x.x addresses translated to public addresses tajen from subnet 198.51.100.0/25. Needed route to198.51.100.0/24 added on uplink interface (in real setup route added by BGP but in GNS3 I am testing only NAT for now).
Can you clarify where I can select 'other'? I found in docs that IP addresses used for NAT are set in one pool and does not depend on WAN interface.

viragomann

@wpa
Not really clear what you try to achieve exactly.

I guess, since you have an public subnet behind pfSense, you want to translate the networks of interfaces 1 and 3 to the external interface address, but don't want to translate the public subnet of interface 3.

So for interface 1 and 2 there should be nothing to do, it is translated automatically, when you have the gateway address stated in the external interface settings. The outbound NAT must be work in hybrid mode.
For the interface 3 network the howto is well described in the pfSense docs: Routing Public IP Addresses.

Since you've obviously already configured the internal network, you should only have to add an outbound NAT rule on WAN for 198.51.100.0/25 with 'no NAT' checked.

wpa

@viragomann My question about TNSR Home+Lab setup.