Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Help a newbie with routing

    Scheduled Pinned Locked Moved NAT
    6 Posts 2 Posters 713 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      whizzy
      last edited by

      Hey, Newbie here with a virgin setup. Be gentle. Looked around and didn't see a config like this one.

      I have one WAN with 4 static IP's, one gateway. Only using 3 of the 4 external IP's for now. And one LAN interface (192.168.1.1/24).
      Lets say, for example the three external IP's are 100.100.100.2, 100.100.100.3, and 100.100.100.4. Gateway is 100.100.100.1
      I have assigned each IP a virtual IP. Here is how I want traffic directed
      100.100.100.2 to 192.168.1.100, 192.168.1.101, and 192.168.1.102
      100.100.100.3 to 192.168.1.40
      100.100.100.4 to 192.168.1.50

      192.168.1.100, 192.168.1.101, and 192.168.1.102 are all on the same server and NIC which runs 3 different apps all needing their own IP's

      And I want the remainder of the LAN subnet for workstations. One WAN and One LAN interface on the pf box  The LAN is on one switch going to all the servers and workstations. The WAN goes to the ISP modem.

      The real issue for me is whether I use NAT and how to set that up directing one external IP to multiple IP's on the same subnet as the rest of the LAN.

      If there is a more efficient way of distributing the 192.168.1.1/24 subnet, please share. Thanks in advance.

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        You direct inbound connections to internal hosts with port forwards. Firewall > NAT, Port forwards

        You direct outbound connections to be source-translated with outbound NAT. Firewall > NAT, Outbound

        You can use 1:1 NAT to establish a 1:1 mapping of outside-to-inside addresses for connections in both directions. Firewall > NAT, 1:1

        You cannot just make connections to one address go to three different hosts inbound. Not without narrowing it down to specific, unique ports.

        You can make all connections from 192.168.1.100, 192.168.1.101, and 192.168.1.102 to the outside "Masquerade" as 100.100.100.2 using specific outbound NAT rules.

        Probably going to need more details to help more than that.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • W
          whizzy
          last edited by

          Thanks for the info.
          Using the three internal IP's all connected to 100.100.100.2, they do have unique ports for each IP.
          192.168.1.100 uses port 6060,6443 - Port Alias 'APP1'
          192.168.1.101 uses port 80,111,443,993 - Port Alias 'APP2'
          192.168.1.102 uses port 25,465,2525 - Port Alias 'APP3'
          For my other servers on the 192.168.1.1/24 subnet I know I can just use NAT 1:1 for mapping an external IP to an internal IP.

          My confusion is how to setup 192.168.1.100-102 on one external IP. So for those, I assume I do not need NAT 1:1 just three port forwards with port aliases and Manual Outbound NAT for each Internal IP to the same virtual IP.
          Now there is already an auto created Outbound NAT rule with 192.168.1.0/24 as the source and the WAN address as the redirector. Will this clash with the other Outbound NAT rules I need to create?
          Thanks

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            Just port forward them in…

            Firewall > NAT, Port Forward

            Protocol: TCP
            Source Address: any
            Source Ports: any
            Dest Address: 100.100.100.2
            Dest Ports: Other: APP1
            NAT Address: 192.168.1.100
            NAT Ports: Other: APP1

            Protocol: TCP
            Source Address: any
            Source Ports: any
            Dest Address: 100.100.100.2
            Dest Ports: Other: APP2
            NAT Address: 192.168.1.101
            NAT Ports: Other: APP2

            Protocol: TCP
            Source Address: any
            Source Ports: any
            Dest Address: 100.100.100.2
            Dest Ports: Other: APP3
            NAT Address: 192.168.1.102
            NAT Ports: Other: APP3

            To do multiple ports (that are not a contiguous range) you have to use an alias for the ports and it has to be the same alias on the Dest Ports and NAT Ports.

            The port forward entry can automatically add the necessary rules on the outside interface to pass the traffic. The end result needs to be:

            Pass any traffic to address 192.168.1.100 ports APP1
            Pass any traffic to address 192.168.1.101 ports APP2
            Pass any traffic to address 192.168.1.102 ports APP3

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • W
              whizzy
              last edited by

              Thanks! Do I also need to add outbound NAT? I already have one with 192.168.1.0/24 as source and the WAN address as the NAT Address.

              Also, I have one other server to add with only one local and one external IP. Is it better to use NAT 1:1 or just use another Port Forward?

              You were a huge help. Thanks again.

              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by

                You only need outbound NAT if you care what IP addresses are used by those servers for connections they INITIATE outbound.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.