How to NAT internal IP range to external IP
-
Hi,
Thanks for the reply.
OK, so regarding the /29 I am already using 1 of the 3 available addresses for my physical server. I am currently using the second available address for my pfsense WAN port (pfsense is running as a VM if I did not mention that).
So I currently have 1 spare address.My end goal is to have 3 separate networks set up - one for each client and ideally I would still like 2 separate public IP addresses for each network (1 for a domain controller and 1 for a terminal server within each network) and have NAT running between private and public IP for each server on the network.
When you say that I could split the /28 - can I do that myself or is that something that has to be done from the data center?
I do have another similar setup that is managed by a third party and they are also running pfsense, each network has a private LAN interface in pfsense and then the 2 servers within each network have their own dedicated WAN interface, I assume NAT is running between the two.
Waiting to hear your thoughts.
PS I notice a network diagram link in your signature, I can plot my setup on there later this evening if it would help?
-
With the /28 routed to you you can do it yourself.
Say they're routing 12.13.14.0/28 to you. You probably assigned 12.13.14.1/28 to the interface and have .2-.14 available.
You would, instead, assign 12.13.14.1/29 to the interface, giving you .2-.6 available.
That would leave you 12.13.14.8/29 free for assignment. You would be able to assign 12.13.14.9/29 to the interface leaving .10-.14 available.
The more you subnet, the more IP addresses you burn in network/broadcast addresses.
-
Ah, I didn't realize that. Is there anything wrong with doing it that way? Aside form the loss of addresses?
I think maybe that might be easiest.And aside from that, if I were to go the NAT route, is there a way of assigning private IP addresses via pfsense and then using one of the /28 as a WAN address for the purposes of NAT? I would really like to get NAT working as well, even if only to learn how it works!
-
Yes, but I think you will run into trouble if you don't reserve a subnet for NAT. Now you're looking at splitting the /28 into a /29 and two /30s. Maybe you should ask for more? If you can justify it it should be no problem.
-
Thanks. I'll try dividing the /28 up first then will try the NAT.
So basically for NAT I would need an interface on pfsense for an address on the private subnet, and an interface for a public subnet that's dedicated to the NAT ? -
It's just NAT. It doesn't really have to be dedicated. You could just use the existing WAN address for outbound NAT and port forwards. Lots of different ways to do this. If you want a more specific answer you will probably need to ask a more specific question.
-
Thanks! OK, I am going to set up the subnets and get that working, that will solve my immediate problem. Once I have done that, I will try experimenting with NAT and then ask some more specific questions - The situation at the moment is that I dont even know enough to ask the right questions :-)
Thanks for your help I really appreciate it.
Ill post an update tomorrow if/when I get the subnets set up.
-
Hi,
thanks so much for your help here.
I have now done as you suggested and split my /28.
At the moment I have split it into 2 /29 subnets and I have both working correctly which is great.Something I don't understand though - I have assigned 1 address in the first /29 subnet to a virtual machine and 1 address in the second /29 subnet to another virtual machine.
They can still ping each other even though they are on different subnets, but I assume that pfsense is routing traffic between the two.
I have tried creating firewall rules to block traffic sent from one subnet to another, but its not working.
What is the correct way of blocking one subnet from contacting the other? -
Did you separate them in different VLANs?
Are there firewall rules permitting the traffic?
Did you adjust the netmask on all the VMs?
-
I didnt put them on separate VLANS. I am not sure how to do that?
Basically I have 3 interfaces in PFSENSE:WAN
LAN - this is the first /29 subnet
LAN2 - this is second /29 subnetthere are rules allowing the traffic.
How do I create VLANS?Also, I am struggling with the logistics of setting up NAT.
I did a test setup - I added a virtual IP and configured it with an internal IP range. I added an address on that to a VM and then I set up a NAT rule to forward traffic from that virtual network to the WAN port.
This works, and that traffic appears to the world as the IP of the WAN port.
But I am not sure how I can use a different IP as the WAN.Is it possible to split my /28 network and use one of those subnets as a public facing IP to NAT to?
-
If you have interfaces you don't need VLANs.
If there are rules permitting the traffic, of course they can communicate.
I believe that you shouldn't use addresses in a network assigned to a LAN interface for NAT. I can only see that as creating potential problems.
If you want to use one of the /29s for NAT, I would unassign it from an interface and create VIPs on WAN instead.
https://doc.pfsense.org/index.php/What_are_Virtual_IP_Addresses
-
I tried to set an explcit deny rule in LAN1 rules denying any traffic with LAN2 as the source - i put it to the top of the rules list. but that did not seem to prevent them from communicating.?
Regarding the NAT. OK, I understand what you are saying, can I only have one WAN interface on the device though? Assuming that is the case, I currently have an IP from my initial /29 address - this is the one assigned by the data center and it is hte one that I have my other /28 routed to.
So if I NAT my private network can I only use that WAN interface and therefor only use that WAN IP ?
Or can I use one of the /29s that I have created from my /28? And if so, how do I do that? Do I assin the private network as a VIP and then also asign the /29 as a VIP and NAT one to the other?
-
I tried to set an explcit deny rule in LAN1 rules denying any traffic with LAN2 as the source - i put it to the top of the rules list. but that did not seem to prevent them from communicating.?
No. You need to put rules denying traffic to LAN1 destination on LAN2 tab. The rules are applied inbound on interface where the traffic first hits the firewall.
-
https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting
You really need to understand the basics of firewall rules on pfSense to have a chance at success.
https://doc.pfsense.org/index.php/What_are_Virtual_IP_Addresses
You add virtual IP addresses to your WAN interface. You are dealing with a routed subnet.
-
So I could add my /28 as a VIP to the WAN interface?
And then I could add a private subnet to LAN interface, and then perform NAT between the two?
I don't suppose you guys offer paid service to configure/guide me through best way of setting up?
-
OK I have finally got somewhere:
I have now configured the following in pfsense:
WAN - this is the same, its an IP from the /29 that I got from data center.
LAN - this is assigned a private IP range.
VIP - I put my /28 in as a VIP range under the WAN interface.I set up a NAT rule so that all LAN traffic outbound is translated to the /28 VIP.
This works and I assume now that I will be able to allow inbound traffic using any IP from the /28 for services running on any of my VMs.
Does it matter though that all outbound traffic from my VMs uses the same IP - the first one in the /28 subnet?
Thanks for all your help Derlict and Doktornotor I really appreciate it.
-
Does it matter though that all outbound traffic from my VMs uses the same IP - the first one in the /28 subnet?
I guess it matters if it matters to you. I've never done a pool of outbound NAT addresses on pfSense. Not sure how to set that up other than 1:1. You can certainly tailor what inside host gets what outside address using more specific outbound NAT rules.
-
Does it matter though that all outbound traffic from my VMs uses the same IP - the first one in the /28 subnet?
I guess it matters if it matters to you. I've never done a pool of outbound NAT addresses on pfSense. Not sure how to set that up other than 1:1. You can certainly tailor what inside host gets what outside address using more specific outbound NAT rules.
Thanks, no it doesnt matter to me. Just wanted to make sure I was doing it the right way.
I have opened another thread about isolating each subnet form the other, if you have time:
https://forum.pfsense.org/index.php?topic=91399.0
