How to NAT internal IP range to external IP

davids355

Hi,
thanks so much for your help here.
I have now done as you suggested and split my /28.
At the moment I have split it into 2 /29 subnets and I have both working correctly which is great.

Something I don't understand though - I have assigned 1 address in the first /29 subnet to a virtual machine and 1 address in the second /29 subnet to another virtual machine.
They can still ping each other even though they are on different subnets, but I assume that pfsense is routing traffic between the two.
I have tried creating firewall rules to block traffic sent from one subnet to another, but its not working.
What is the correct way of blocking one subnet from contacting the other?

Derelict

Did you separate them in different VLANs?

Are there firewall rules permitting the traffic?

Did you adjust the netmask on all the VMs?

davids355

I didnt put them on separate VLANS. I am not sure how to do that?
Basically I have 3 interfaces in PFSENSE:

WAN
LAN  - this is the first /29 subnet
LAN2 - this is second /29 subnet

there are rules allowing the traffic.
How do I create VLANS?

Also, I am struggling with the logistics of setting up NAT.

I did a test setup - I added a virtual IP and configured it with an internal IP range. I added an address on that to a VM and then I set up a NAT rule to forward traffic from that virtual network to the WAN port.
This works, and that traffic appears to the world as the IP of the WAN port.
But I am not sure how I can use a different IP as the WAN.

Is it possible to split my /28 network and use one of those subnets as a public facing IP to NAT to?

Derelict

If you have interfaces you don't need VLANs.

If there are rules permitting the traffic, of course they can communicate.

I believe that you shouldn't use addresses in a network assigned to a LAN interface for NAT.  I can only see that as creating potential problems.

If you want to use one of the /29s for NAT, I would unassign it from an interface and create VIPs on WAN instead.

https://doc.pfsense.org/index.php/What_are_Virtual_IP_Addresses

davids355

I tried to set an explcit deny rule in LAN1 rules denying any traffic with LAN2 as the source - i put it to the top of the rules list. but that did not seem to prevent them from communicating.?

Regarding the NAT. OK, I understand what you are saying, can I only have one WAN interface on the device though? Assuming that is the case, I currently have an IP from my initial /29 address - this is the one assigned by the data center and it is hte one that I have my other /28 routed to.

So if I NAT my private network can I only use that WAN interface and therefor only use that WAN IP ?

Or can I use one of the /29s that I have created from my /28? And if so, how do I do that? Do I assin the private network as a VIP and then also asign the /29 as a VIP and NAT one to the other?

doktornotor

@davids355:

I tried to set an explcit deny rule in LAN1 rules denying any traffic with LAN2 as the source - i put it to the top of the rules list. but that did not seem to prevent them from communicating.?

No. You need to put rules denying traffic to LAN1 destination on LAN2 tab. The rules are applied inbound on interface where the traffic first hits the firewall.

Derelict

https://doc.pfsense.org/index.php/Firewall_Rule_Troubleshooting

You really need to understand the basics of firewall rules on pfSense to have a chance at success.

https://doc.pfsense.org/index.php/What_are_Virtual_IP_Addresses

You add virtual IP addresses to your WAN interface.  You are dealing with a routed subnet.

davids355

So I could add my /28 as a VIP to the WAN interface?

And then I could add a private subnet to LAN interface, and then perform NAT between the two?

I don't suppose you guys offer paid service to configure/guide me through best way of setting up?

davids355

OK I have finally got somewhere:
I have now configured the following in pfsense:
WAN - this is the same, its an IP from the /29 that I got from data center.
LAN - this is assigned a private IP range.
VIP - I put my /28 in as a VIP range under the WAN interface.

I set up a NAT rule so that all LAN traffic outbound is translated to the /28 VIP.

This works and I assume now that I will be able to allow inbound traffic using any IP from the /28 for services running on any of my VMs.

Does it matter though that all outbound traffic from my VMs uses the same IP - the first one in the /28 subnet?

Thanks for all your help Derlict and Doktornotor I really appreciate it.

Derelict

@davids355:

Does it matter though that all outbound traffic from my VMs uses the same IP - the first one in the /28 subnet?

I guess it matters if it matters to you.  I've never done a pool of outbound NAT addresses on pfSense.  Not sure how to set that up other than 1:1.  You can certainly tailor what inside host gets what outside address using more specific outbound NAT rules.

davids355

@Derelict:

@davids355:

Does it matter though that all outbound traffic from my VMs uses the same IP - the first one in the /28 subnet?

I guess it matters if it matters to you.  I've never done a pool of outbound NAT addresses on pfSense.  Not sure how to set that up other than 1:1.  You can certainly tailor what inside host gets what outside address using more specific outbound NAT rules.

Thanks, no it doesnt matter to me. Just wanted to make sure I was doing it the right way.

I have opened another thread about isolating each subnet form the other, if you have time:
https://forum.pfsense.org/index.php?topic=91399.0