NAT to /29 public block from Internal networks when WAN is /30

real

Hello,

I have x.x.230.100/30 WAN. I have x.x.234.160/29 Public block. My /29 is routed to my /30 by the ISP. I have 6 internal 10.x.x.x on different VLAN's.

I want to NAT each internal 10.x.x.x VLAN to a different IP in my /29 network.

Example:
10.1.1.0/24 IP's will go out on x.x.234.161
10.2.2.0/24 IP's will go out on x.x.234.162
and so on...

I do not need any forwarding back into any internal networks at this time. Forum searching I found several 1:1 NAT but didn't find any specific 1:many examples for different public IP's.

How do I use these /29 networks? Do I use Alias, Virtual IP's, or another way? How do I create a NAT rule for each internal VLAN.

Everything seems to work fine except I can't get my internal networks to go out my /29 addresses.

Any help will be greatly appreciated.
Thanks!

SteveITS

@real in the big picture you’re looking for hybrid or manual outbound NAT: https://docs.netgate.com/pfsense/en/latest/nat/outbound.html

However you’re not looking to use the public IPs internally which would be the common setup? https://docs.netgate.com/pfsense/en/latest/recipes/route-public-ip-addresses.html
It’s throwing me a bit. That would be the normal way…put the /29 on LAN and then have a second router provide NAT in front of each internal subnet. You could try IP Alias VIPs and see if it will work but I don’t think that’s commonly used with a routed subnet.

planedrop

I think if you described what the purpose/end goal was with this it might help us understand what you're trying to do.

I manage a CARP HA setup with a similar design and routed subnet (/29 and a /28) and have it setup without issues and have public facing services. But this sounds maybe a bit different.

Oh and is this similar to Comcast's EDI setup? https://business.comcast.com/support/article/ethernet/comcast-business-ethernet-equipment-configuration

Sounds like it but wanted to check.

real

My main goal is to have each internal subnet go out on a different public IP in my /29 block.

Example:
x.x.234.160/29
10.1.1.0/24 IP's will go out on x.x.234.161
10.2.2.0/24 IP's will go out on x.x.234.162
and so on...

planedrop

@real Right, but you do need those to NAT back in correct? Otherwise it would be outbound only traffic which I'm not sure what the use case for that would be.

Any specific reason these subnets all need a different public IP associated with them? I'd personally just use your main direct routed public and NAT everything.

However, this should be possible with IP aliases of some sort.

stephenw10

Yup, just add VIPs and oubound NAT rules to send traffic via them.

planedrop

@stephenw10 Yeah this is what I thought too but the original post verbage says they don't need traffic to forward back into internal networks, wasn't sure what exactly they meant by that other than maybe port forwards?

But yeah, just adding VIPs and you should be able to NAT to those IPs just fine @real

stephenw10

Yes almost certainly port forwards. Since this is a routed subnet you don't actually need VIPs at all, just outbound NAT rules. However it's logically easier to see what's happening if you add them and it allows for forwards later if required.