Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    NAT over NAT?

    Scheduled Pinned Locked Moved NAT
    12 Posts 3 Posters 1.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • johnpozJ
      johnpoz LAYER 8 Global Moderator
      last edited by

      for what possible reason would you be setup like this?

      Connect your window machine to the same pfsense network your linux box is connected to, or even 2 different pfsense networks so that you could firewall how you want between these 2 networks or to the internet.

      I can not think of one sane reason to have it setup like you have it.

      An intelligent man is sometimes forced to be drunk to spend time with his fools
      If you get confused: Listen to the Music Play
      Please don't Chat/PM me for help, unless mod related
      SG-4860 24.11 | Lab VMs 2.8, 24.11

      1 Reply Last reply Reply Quote 0
      • G
        gohancore
        last edited by

        Thank you for the reply.

        It's actually an university project I'm doing, my teacher says it's hard but doable, so that's why I was asking if it was possible at all.

        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator
          last edited by

          well yeah you can have like 30 nats chained together if you wanted it too - but WHY???

          So your trying to figure out what clients are behind the other nat?  Yeah you could do that with simple look a the ttl's on the packets most likely.

          If all your wanting to do is block it, then why are you forwarding it your linux box?  If you want us to do your home work for you - going to have give us the exact details..

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          1 Reply Last reply Reply Quote 0
          • G
            gohancore
            last edited by

            Once again, thank you for the reply.

            Sorry if I wasn't being clear enough. The linux server have three subinterfaces, with three different networks. They can all acess the internet through the pfsense. The purpose is to block internet acess to one specific network between a specific hour period.

            1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator
              last edited by

              well you would do that on the linux box then..  if your using your linux box as your firewall/router why not just replace it with pfsense?  Or your other fav linux based firewall/router distro that makes it all very simple to do such things since the distro has been modified for the specific use as a firewall/router - like pfsense, its just tweaked out version of freebsd that makes it easy to use as a firewall/router.

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by

                Or tell linux to NAT each subnet out a different "outside" address. Then you can identify what subnet is what on pfSense by the NAT IP address.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator
                  last edited by

                  Yup you could do that..  But what is the point of the linux box other than some class work??  As I said in the beginning there is no point to double nat.. If you had a down stream router (linux in your case) there would be no point to nat there.

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  1 Reply Last reply Reply Quote 0
                  • DerelictD
                    Derelict LAYER 8 Netgate
                    last edited by

                    I double NAT in my lab all the time, else I can't test NAT configs on the lab machines. Identifying networks behind NAT is a little strange.

                    Chattanooga, Tennessee, USA
                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    1 Reply Last reply Reply Quote 0
                    • G
                      gohancore
                      last edited by

                      I know this configuration is completely nonsense and it would be so easy to "repair" it. The thing is it's a school project and so I can't modify the design and I'm being told that it's possible to do this, hard but doable, so I don't know..

                      1 Reply Last reply Reply Quote 0
                      • DerelictD
                        Derelict LAYER 8 Netgate
                        last edited by

                        It's not hard.  Put a bunch of Virtual IP address on WAN, and use manual or hybrid outbound NAT to map each LAN subnet to a different WAN IP.

                        After that, in the outside pfSense you can tell what subnet on the back side of the linux router the traffic is coming from based on the "inside global" NAT address.

                        The trouble for you is all the real work has to be done on the linux router and this is a pfSense forum.

                        Chattanooga, Tennessee, USA
                        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                        Do Not Chat For Help! NO_WAN_EGRESS(TM)

                        1 Reply Last reply Reply Quote 0
                        • johnpozJ
                          johnpoz LAYER 8 Global Moderator
                          last edited by

                          "I double NAT in my lab all the time"

                          I hear ya - sometimes you have to, shit at work there are so many freaking nats it makes my head spin sometimes.  And joke I like to use when troubleshooting with fellow techs at work is "we need another nat" there are only 3 ;)

                          But to be honest it is something to be avoided!!

                          As to your design gohancore - while you might not be able to modify it for the course work your instructor wants you to do..  I would bring it up to him for discussion that its a BAD design and there seems in this scenario no reason to nat the downstream rfc1918 networks if your just going to want to block one, etc..  But as Derelict has mentioned couple of times now the easy fix is to use different IP on the wan of your linux box for the nats for the networks on the inside of the linux router so that you can just block the 1 you want at pfsense.  Maybe this is the solution your instructor is looking for??

                          Not sure why just doesn't try and teach whatever concept he is trying to teach you without nonsense like double natting..  Why not show you how to work with a downstream router via a transit network, which seems to be something lost on many other users to this forum as well ;)

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          SG-4860 24.11 | Lab VMs 2.8, 24.11

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.