1:1 NAT to a printer ouside the WAN port..?

  • Ok, I have a new idea in my saga to access a printer outside the WAN port. What about 1:1 NAT from an additional interface & subnet..?

    Pfsense is installed on a Vbox VM with multiple interfaces. The WAN port is connected to our office LAN through a Vbox "NAT" interface. The other Pfsense interfaces are LAN1, OPT1 and OPT2. All of this is to duplicate a large existing network of manufacturing equipment, and the IP addresses cannot be changed in the simulated system.

    Note: The huge problem here is the real office LAN (on the WAN interface) has the same IP addressing as LAN1. That's because it and OPT1 are copies of two existing subnets. The Vbox NAT engine allows devices on LAN1 to access the internet. But as you might imagine, devices on the office LAN cannot be accessed because everything on LAN1 thinks those addresses are on its own subnet.

    This is the crux of the problem, since the printer IP is in the office subnet, which is inaccessible.

    So… I came up with the idea of adding another interface and subnet to each VM that needs to print. There would be a Firewall Rule that allows anything on OPT2 to only access the printer IP. But there would also have to be NAT to translate the IP on OPT2 to the IP of the printer on the WAN (aka, the office LAN).

    Can this be done with 1:1 NAT..? Or am I trying to herd cats again..? If this can be done, how would I set it up? I tried some how-tos but I couldn't get it to work.


    Here are the numbers. I would like to translate on OPT2 to on the WAN:

    | Office LAN | |
    | Office printer | |
    | Pfsense WAN | (via Vbox DHCP) |
    | LAN1 | |
    | OPT1 | |
    | OPT2 | |
    | IP for printing | |