How to NAT internal IP range to external IP
-
Hi guys,
Really sorry but I am a total noob when it comes to NAT and I have some questions about it.
I currently have the following setup in pfsense:
WAN - I have a public IP assigned here from a /29 that was provided to me by the data center. Despite this being a /29 I only have 3 usable addresses on this subnet.
I then have a /28 that I have routed to the above static IP and then I have created a LAN interface in PFsense and assigned it the first usable IP on this /28.
I then assign all of my devices (virtual machines) with an address from this /28 and use pfsense as the router for those devices.I dont know if that is the correct way of doing it, but it has worked well for me so far.
The trouble is that a) Ill run out of public addresses quickly doing it this way and b) all of these devices are technically on the same network which isnt good.
So I want some way of separating devices into smaller networks. I assume the best way would be to configure internal IP addressing for hte virtual machines and then use NAT to translate those internal IP addresses to a public one.
As such I have added another network to pfsense - OPT1 and assigned that with a private IP address.
What I want to do next is take one IP from my /29 on LAN1 and NAT everything from OPT1 so that it uses that public IP for outbound communications.
Is that possible? Is it the correct way?
Alternatively can I sub divide the /29 that I have?
Or should I be setting it up in a completely different way?
Sorry for all of the questions and the rambling. I hope someone can advise me.
Thanks
Dave
-
OK I am struggling here. If anyone could provide me with some pointers I would really appreciate it.
-
Hi guys,
Really sorry but I am a total noob when it comes to NAT and I have some questions about it.
I currently have the following setup in pfsense:
WAN - I have a public IP assigned here from a /29 that was provided to me by the data center. Despite this being a /29 I only have 3 usable addresses on this subnet.
This is so you can do VRRP/CARP. Hopefully your provider is. If you are not running high availability, you can use all three addresses for NAT.
I then have a /28 that I have routed to the above static IP and then I have created a LAN interface in PFsense and assigned it the first usable IP on this /28.
I then assign all of my devices (virtual machines) with an address from this /28 and use pfsense as the router for those devices.I dont know if that is the correct way of doing it, but it has worked well for me so far.
Sounds perfect.
The trouble is that a) Ill run out of public addresses quickly doing it this way and b) all of these devices are technically on the same network which isnt good.
So I want some way of separating devices into smaller networks. I assume the best way would be to configure internal IP addressing for hte virtual machines and then use NAT to translate those internal IP addresses to a public one.
As such I have added another network to pfsense - OPT1 and assigned that with a private IP address.
What I want to do next is take one IP from my /29 on LAN1 and NAT everything from OPT1 so that it uses that public IP for outbound communications.
Is that possible? Is it the correct way?
It depends on how many NAT addresses you want. You already have three available on the /29. If that is enough, you're done. If not, the best thing to do would probably be to reassign your public /28 into two /29s. This would give you 6 usable public IPs on your Public IP LAN and 8 additional addresses to use for NAT (at least I think you can use all 8, depending on the type of VIP. I haven't tested it. If not, then 6.)
This might or might not be acceptable.
Alternatively can I sub divide the /29 that I have?
No, but you can use the three addresses for NAT. You already have WAN address available for NAT. You could create VIPs in Firewall > Virtual IPs for the other two available addresses. They would then be available for port forwards and/or outgoing NAT.
See Also: https://doc.pfsense.org/index.php/What_are_Virtual_IP_Addresses
I think you can also assign VIPs out of unused addresses on your routed subnet, but I see that as getting a little messy when a guest VM wants to communicate with one of the natted hosts. You will have to do split DNS or it won't work because the IP address will be on the local subnet. I'm going off on a tangent, but I think that is the reason you would want to split the /28 if you want to use those addresses.
Or should I be setting it up in a completely different way?
Sorry for all of the questions and the rambling. I hope someone can advise me.
Thanks
Dave
It sounds like you have a lot of good options available. I have a feeling the three available addresses in the /29 on WAN will be enough for you.
You can just create another VLAN interface, assign it RFC1918 space, and tag it through to your VM host. Then you'd have another virtual network on your vswitch to assign to guests.
-
Hi,
Thanks for the reply.
OK, so regarding the /29 I am already using 1 of the 3 available addresses for my physical server. I am currently using the second available address for my pfsense WAN port (pfsense is running as a VM if I did not mention that).
So I currently have 1 spare address.My end goal is to have 3 separate networks set up - one for each client and ideally I would still like 2 separate public IP addresses for each network (1 for a domain controller and 1 for a terminal server within each network) and have NAT running between private and public IP for each server on the network.
When you say that I could split the /28 - can I do that myself or is that something that has to be done from the data center?
I do have another similar setup that is managed by a third party and they are also running pfsense, each network has a private LAN interface in pfsense and then the 2 servers within each network have their own dedicated WAN interface, I assume NAT is running between the two.
Waiting to hear your thoughts.
PS I notice a network diagram link in your signature, I can plot my setup on there later this evening if it would help?
-
With the /28 routed to you you can do it yourself.
Say they're routing 12.13.14.0/28 to you. You probably assigned 12.13.14.1/28 to the interface and have .2-.14 available.
You would, instead, assign 12.13.14.1/29 to the interface, giving you .2-.6 available.
That would leave you 12.13.14.8/29 free for assignment. You would be able to assign 12.13.14.9/29 to the interface leaving .10-.14 available.
The more you subnet, the more IP addresses you burn in network/broadcast addresses.
-
Ah, I didn't realize that. Is there anything wrong with doing it that way? Aside form the loss of addresses?
I think maybe that might be easiest.And aside from that, if I were to go the NAT route, is there a way of assigning private IP addresses via pfsense and then using one of the /28 as a WAN address for the purposes of NAT? I would really like to get NAT working as well, even if only to learn how it works!
-
Yes, but I think you will run into trouble if you don't reserve a subnet for NAT. Now you're looking at splitting the /28 into a /29 and two /30s. Maybe you should ask for more? If you can justify it it should be no problem.
-
Thanks. I'll try dividing the /28 up first then will try the NAT.
So basically for NAT I would need an interface on pfsense for an address on the private subnet, and an interface for a public subnet that's dedicated to the NAT ? -
It's just NAT. It doesn't really have to be dedicated. You could just use the existing WAN address for outbound NAT and port forwards. Lots of different ways to do this. If you want a more specific answer you will probably need to ask a more specific question.
-
Thanks! OK, I am going to set up the subnets and get that working, that will solve my immediate problem. Once I have done that, I will try experimenting with NAT and then ask some more specific questions - The situation at the moment is that I dont even know enough to ask the right questions :-)
Thanks for your help I really appreciate it.
Ill post an update tomorrow if/when I get the subnets set up.
-
Hi,
thanks so much for your help here.
I have now done as you suggested and split my /28.
At the moment I have split it into 2 /29 subnets and I have both working correctly which is great.Something I don't understand though - I have assigned 1 address in the first /29 subnet to a virtual machine and 1 address in the second /29 subnet to another virtual machine.
They can still ping each other even though they are on different subnets, but I assume that pfsense is routing traffic between the two.
I have tried creating firewall rules to block traffic sent from one subnet to another, but its not working.
What is the correct way of blocking one subnet from contacting the other? -
Did you separate them in different VLANs?
Are there firewall rules permitting the traffic?
Did you adjust the netmask on all the VMs?
-
I didnt put them on separate VLANS. I am not sure how to do that?
Basically I have 3 interfaces in PFSENSE:WAN
LAN - this is the first /29 subnet
LAN2 - this is second /29 subnetthere are rules allowing the traffic.
How do I create VLANS?Also, I am struggling with the logistics of setting up NAT.
I did a test setup - I added a virtual IP and configured it with an internal IP range. I added an address on that to a VM and then I set up a NAT rule to forward traffic from that virtual network to the WAN port.
This works, and that traffic appears to the world as the IP of the WAN port.
But I am not sure how I can use a different IP as the WAN.Is it possible to split my /28 network and use one of those subnets as a public facing IP to NAT to?
-
If you have interfaces you don't need VLANs.
If there are rules permitting the traffic, of course they can communicate.
I believe that you shouldn't use addresses in a network assigned to a LAN interface for NAT. I can only see that as creating potential problems.
If you want to use one of the /29s for NAT, I would unassign it from an interface and create VIPs on WAN instead.
https://doc.pfsense.org/index.php/What_are_Virtual_IP_Addresses
-
I tried to set an explcit deny rule in LAN1 rules denying any traffic with LAN2 as the source - i put it to the top of the rules list. but that did not seem to prevent them from communicating.?
Regarding the NAT. OK, I understand what you are saying, can I only have one WAN interface on the device though? Assuming that is the case, I currently have an IP from my initial /29 address - this is the one assigned by the data center and it is hte one that I have my other /28 routed to.
So if I NAT my private network can I only use that WAN interface and therefor only use that WAN IP ?
Or can I use one of the /29s that I have created from my /28? And if so, how do I do that? Do I assin the private network as a VIP and then also asign the /29 as a VIP and NAT one to the other?
-
I tried to set an explcit deny rule in LAN1 rules denying any traffic with LAN2 as the source - i put it to the top of the rules list. but that did not seem to prevent them from communicating.?
No. You need to put rules denying traffic to LAN1 destination on LAN2 tab. The rules are applied inbound on interface where the traffic first hits the firewall.
-
https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting
You really need to understand the basics of firewall rules on pfSense to have a chance at success.
https://doc.pfsense.org/index.php/What_are_Virtual_IP_Addresses
You add virtual IP addresses to your WAN interface. You are dealing with a routed subnet.
-
So I could add my /28 as a VIP to the WAN interface?
And then I could add a private subnet to LAN interface, and then perform NAT between the two?
I don't suppose you guys offer paid service to configure/guide me through best way of setting up?
-
OK I have finally got somewhere:
I have now configured the following in pfsense:
WAN - this is the same, its an IP from the /29 that I got from data center.
LAN - this is assigned a private IP range.
VIP - I put my /28 in as a VIP range under the WAN interface.I set up a NAT rule so that all LAN traffic outbound is translated to the /28 VIP.
This works and I assume now that I will be able to allow inbound traffic using any IP from the /28 for services running on any of my VMs.
Does it matter though that all outbound traffic from my VMs uses the same IP - the first one in the /28 subnet?
Thanks for all your help Derlict and Doktornotor I really appreciate it.
-
Does it matter though that all outbound traffic from my VMs uses the same IP - the first one in the /28 subnet?
I guess it matters if it matters to you. I've never done a pool of outbound NAT addresses on pfSense. Not sure how to set that up other than 1:1. You can certainly tailor what inside host gets what outside address using more specific outbound NAT rules.