Help a newbie with routing
-
Hey, Newbie here with a virgin setup. Be gentle. Looked around and didn't see a config like this one.
I have one WAN with 4 static IP's, one gateway. Only using 3 of the 4 external IP's for now. And one LAN interface (192.168.1.1/24).
Lets say, for example the three external IP's are 100.100.100.2, 100.100.100.3, and 100.100.100.4. Gateway is 100.100.100.1
I have assigned each IP a virtual IP. Here is how I want traffic directed
100.100.100.2 to 192.168.1.100, 192.168.1.101, and 192.168.1.102
100.100.100.3 to 192.168.1.40
100.100.100.4 to 192.168.1.50192.168.1.100, 192.168.1.101, and 192.168.1.102 are all on the same server and NIC which runs 3 different apps all needing their own IP's
And I want the remainder of the LAN subnet for workstations. One WAN and One LAN interface on the pf box The LAN is on one switch going to all the servers and workstations. The WAN goes to the ISP modem.
The real issue for me is whether I use NAT and how to set that up directing one external IP to multiple IP's on the same subnet as the rest of the LAN.
If there is a more efficient way of distributing the 192.168.1.1/24 subnet, please share. Thanks in advance.
-
You direct inbound connections to internal hosts with port forwards. Firewall > NAT, Port forwards
You direct outbound connections to be source-translated with outbound NAT. Firewall > NAT, Outbound
You can use 1:1 NAT to establish a 1:1 mapping of outside-to-inside addresses for connections in both directions. Firewall > NAT, 1:1
You cannot just make connections to one address go to three different hosts inbound. Not without narrowing it down to specific, unique ports.
You can make all connections from 192.168.1.100, 192.168.1.101, and 192.168.1.102 to the outside "Masquerade" as 100.100.100.2 using specific outbound NAT rules.
Probably going to need more details to help more than that.
-
Thanks for the info.
Using the three internal IP's all connected to 100.100.100.2, they do have unique ports for each IP.
192.168.1.100 uses port 6060,6443 - Port Alias 'APP1'
192.168.1.101 uses port 80,111,443,993 - Port Alias 'APP2'
192.168.1.102 uses port 25,465,2525 - Port Alias 'APP3'
For my other servers on the 192.168.1.1/24 subnet I know I can just use NAT 1:1 for mapping an external IP to an internal IP.My confusion is how to setup 192.168.1.100-102 on one external IP. So for those, I assume I do not need NAT 1:1 just three port forwards with port aliases and Manual Outbound NAT for each Internal IP to the same virtual IP.
Now there is already an auto created Outbound NAT rule with 192.168.1.0/24 as the source and the WAN address as the redirector. Will this clash with the other Outbound NAT rules I need to create?
Thanks -
Just port forward them in…
Firewall > NAT, Port Forward
Protocol: TCP
Source Address: any
Source Ports: any
Dest Address: 100.100.100.2
Dest Ports: Other: APP1
NAT Address: 192.168.1.100
NAT Ports: Other: APP1Protocol: TCP
Source Address: any
Source Ports: any
Dest Address: 100.100.100.2
Dest Ports: Other: APP2
NAT Address: 192.168.1.101
NAT Ports: Other: APP2Protocol: TCP
Source Address: any
Source Ports: any
Dest Address: 100.100.100.2
Dest Ports: Other: APP3
NAT Address: 192.168.1.102
NAT Ports: Other: APP3To do multiple ports (that are not a contiguous range) you have to use an alias for the ports and it has to be the same alias on the Dest Ports and NAT Ports.
The port forward entry can automatically add the necessary rules on the outside interface to pass the traffic. The end result needs to be:
Pass any traffic to address 192.168.1.100 ports APP1
Pass any traffic to address 192.168.1.101 ports APP2
Pass any traffic to address 192.168.1.102 ports APP3 -
Thanks! Do I also need to add outbound NAT? I already have one with 192.168.1.0/24 as source and the WAN address as the NAT Address.
Also, I have one other server to add with only one local and one external IP. Is it better to use NAT 1:1 or just use another Port Forward?
You were a huge help. Thanks again.
-
You only need outbound NAT if you care what IP addresses are used by those servers for connections they INITIATE outbound.