(S/D)NAT routed IPs possible?

hexa

Thank you for your response.

So the answer is NO, it is not possible to use one of the internet C class IP's routed to PFSENSE's WAN IP to be used for S/DNAT if the whole C class get's routed forward. I'll just use another pfsense cluster for load balancing with DNAT and put it on OPTX where /24 get routed out this one. Will have a little hard time explaining to my boss why we now need 4 firewalls instead of two, who did all of this for 7 year now, but i think it's time for us to move away from command line firewalls/routers. :-)

1:1 nat would be acceptable for no load balancing DNAT rules maybe, but not for SNAT. I want all LAN network (not just one LAN IP) that goes out WAN with IP from the /24 internet routed class.

Thank you for your time once more.

GruensFroeschli

But why do you want your private LAN to get NATed to the /24 subnet?
Why not just use one of the /29 IP's and NAT it over this one?

hexa

I might be able to to that for LAN users in LAN to make it all come out IP from connecting /29 segment instead from one of the C/24 class IPs they used to.

But for some servers (weather in LAN or OPTXY/SERV) i still need DNAT, 'cause /29 segment just doesn't have enough IPs and 'cause they use certain IPs from that /24 C class (which is routed to pfsense on /29 connecting segment). Also when they go out they need to have be SNATED each to their own IP from that /24 C class (which is routed to pfsense /29).

hexa

Addition: I just tried with LAN first, 'cause if it works there it will work for the SERV LAN too. I wanted to keep description of a problem as short as possible to not discourage others to read it, so i left out the SERVer LAN interface.

GruensFroeschli

Couldnt you split your /24 into two /25?

The clients in the private /16 subnet get NATed over one of the /29 IP's.
pfSense has another one of the /29 IP's
The servers can go into one of the /25 subnet and you still have the other /25 subnet free for whatever you want it.
Like this your server are in a DMZ and have a public IP and you still have 4 IP's free in the /29

hexa

This is a great suggestion but i have already thought of it.

Why it's not for me.
If i started from scratch this would probably be the solution even thou i don't like to be constrained in this way. But unfortunately the servers are already on this C class and they are all over the C class. Some of the IPs are DNATED and some not (my old solution allowed that). So it would require to change the IP addresses on the servers which are in /25 segment that i would totally dedicate to NAT. In that case I rather buy another two machines than change all those IPs.

Just in case if I do it. (On another new C class)
I'm just wondering. If i were to set it up like this and split this routed C/24 in to two /25 classes (one for routing forward and one for CARP nat) how would do it? Please advise me.

To clarify first part of that C class will be called "a/25" used for S/DNAT and second part that i will route thru will be called "b/25."

This is how i would set it up.
WAN            -> /29 connecting segment
WAN            -> CARP IP for each host from a/25 (for D/SNAT to SERV/OPT1)
LAN              -> we know how
SERV/OPT1    -> 10.10.0.0/16 (DNATED and SNATED to a/25)
ROUTED/OPT2-> b/25

To have b/25 routed thru i just add it to OPT2 in the interface configuration (and allow in in packet filter). But to have pfsense able to use a/25 IPs as CARP for NAT, what would i have to to? If i remember correctly it won't allow me to add CARP IPs for a network segment that's not yet on the WAN interface? Or will I be able to just add those IPs from a/25 as CARP to WAN interface? If it's so easy i just might get a new C class, have this new pfsense system running with it an slowly ower the years migrate machines from old classes and firewalles to pfsense.

hexa

Forgot to say thank you. :-) Thanks for suggestion.

hexa

I was correct. This setup is not possible for now. :-) I get the error.

"Sorry, we could not locate an interface with a matching subnet for a/25. Please add an ip in this subnet on a real interface."

How can i add another real subnet to WAN interface?

GruensFroeschli

You can add them with PARP or if you just want to 1:1 NAT to a server behind with an "other" VIP.

More infos to the various VIP's:
http://forum.pfsense.org/index.php/topic,3987.msg24632.html#msg24632

hexa

Won't using Proxy ARP IPs leave me with non redundant install? Like, CARP IPs will migrate to active firewall while proxy ARP won't. Can i have the same Proxy ARP on the two firewalls at the same time maybe?

Maybe i should just try it and stop with all the questions. :-)

hexa

O.K. I solved this. Didn't have to split my C/24 afterall! I route it thru but for certain IPs i redirect the traffic with S/DNAT rules to SERV and LAN. This can be achieved with combination of different netmasks for VIPs.
So the answer to my top post is YES. :-)

Thank you all for your help. :-)