1:1 NAT for dummies
-
Hi !
i am trying to understand the 1:1 NAT feature in pfsense. here is my basic configuration:
–--------
red-PC---------------------192.168.10.254| pfSense |192.168.2.254------------------------green-PC
192.168.10.250 ---------- 192.168.2.100
GW:192.168.10.254 GW:192.168.2.254firewall: pass all red<>green
ping between red-PC und green-PC is working.
2.0-RELEASE (i386)what i understand : with 1:1 nat i can reach the green-PC by using an IP adress which is not in 192.168.10.0/24.
on red-PC: >ping 192.168.12.100ping should be replied by 192.168.2.100 - is that correct ?
destination IP 192.168.12.100 will be mapped to destination IP 192.168.2.100but the ping fails ! any ideas ?
next question:
in the green subnet, is a PC with IP = 10.1.0.100/24
is it possible to reach this PC from red-PC by using 1:1 NAT ?thanks for your support !
-
according to your network design the 192.168.12 is not a valid subnet on your LAN. Unless you setup a VIP to proxy for it, the firewall will do nothing with it but block or forward nowhere.
-
Yes !
i added a virtual ip address-range on the red port.
but this will not help. which type should i use ?It Works !
–--------
red-PC---------------------192.168.10.254| pfSense |192.168.2.254------------------------green-PCS: 192.168.10.250 >>>>>>>>>>>>>>request >>>>>>>>>>>>>>>>>>>>>> S: 192.168.10.250
D: 192.168.12.100 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> D: 192.168.2.100S: 192.168.12.100 <<<<<<<<<<<<<reply<<<<<<<<<<<<<<<<<<<<<<<<< s:="" 192.168.2.100<br=""> D: 192.168.10.250 <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< D: 192.168.10.250
</reply<<<<<<<<<<<<<<<<<<<<<<<<< > -
to complete this threat:
by adding a virtual ip range (10.1.0.0/24) also on green port, and changing the 1:1 nat rule (Internal IP = 10.1.0.0/24) the following is possible:red-PC–-------------------192.168.10.254| pfSense |192.168.2.254------------------------green-PC2---------green-PC
192.168.10.250 ---------- 10.1.0.111 192.168.2.100ping 192.168.12.111
S: 192.168.10.250 >>>>>>>>>>>>>>request >>>>>>>>>>>>>>>>> >>>>> S: 192.168.10.250
D: 192.168.12.111 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> D: 10.1.0.111S: 192.168.12.111 <<<<<<<<<<<<<<<<<reply<<<<<<<<<<<<<<<<<<<< s:="" 10.1.0.111<br=""> D: 192.168.10.250 <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< D: 192.168.10.250
ping 192.168.2.100
S: 192.168.10.250 >>>>>>>>>>>>>>request >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>> S: 192.168.10.250
D: 192.168.2.100 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> D: 192.168.2.100S: 192.168.2.100 <<<<<<<<<<<<<<<<<<<<<<<<<<<<reply<<<<<<<<<<<<<<<<<<<<<<<<<<< ="" s:="" 192.168.2.100<br=""> D: 192.168.10.250 <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< D: 192.168.10.250
ping 192.168.12.100 will not work</reply<<<<<<<<<<<<<<<<<<<<<<<<<<< ></reply<<<<<<<<<<<<<<<<<<<< >