1:1 Natted subnet conficts with network distribution IP's
-
I have a /24 public IP pool with IP Aliases & 1:1 Nat's for 254 private addresses to client devices. I can accept the PfSense Lan adapter using up the x.x.x.1 private address since DHCP server is needed at this address to assign leases to client devices. However, nine distribution AP's burn up the x.x.x.2 - x.x.x.10 addresses. I know proxy arp requires a public & private last octet match so the associated public addresses must go unused which isn't favorable to the carrier to leave too many unused IPv4's.
However with IP Aliases can the private IP pool be larger than the public to accommodate the network equipment so all /24 public IP's can be assigned? Or can they even reside in a different subnet, seems problematic but thought I should ask. Any other ideas on how to keep network distribution equipment out of the public/private pool would be helpful.
And on a side-note, since IP Aliases seem to be the way to go, I populated all 254 1:1 Nats in the XML file. I intended to do the same with 254 IP Aliases but it has a unique DEVICEID on each. Does this force me to enter all of them with the GUI or is there a work-around? Thanx…
-
Why not get a /29 on the WAN interface and have the ISP route the /24 to that?
Then you can assign actual public IP addresses to users instead of messing about with 1:1 NAT.
Having "distribution APs" eat IP addresses is a design issue. AP management is what a private, management VLAN is for.
-
There is a /30 on the Wan and the ISP does route through it. I posted the VLAN mgmt. approach earlier this year and was told it didn't fit this need. I was told that all it would do is put each AP on a separate physical switch port. Then I would have the issue of dishing out the /24 publics across each separate VLAN segment. Are you suggesting to use VLAN's and VIP's in concert so they all arrive at the router's LAN via one physical switch port?
-
I'm just saying if you have a routed /24 why are you messing about with 1:1 NAT?
Couldn't find the related thread. Can you either point to it or describe exactly what you are trying to do?
-
There have been discussions for various other semi-related purposes. The most relevant post is @ https://forum.pfsense.org/index.php?topic=90968.msg503529#msg503529. In reply #8 you suggest using a 1:1 and VIP which is what I have setup and works fine. The AP "could" be bridged so it isn't a layer-2 roadblock for a VLAN. I need to get public IP's past a dozen routed AP's to the clients associated on each AP.
I thought about using a /23 subnet 4.1-5.255 on the PfSense Lan and 1:1 to 4.1-4.254 and put network gear on 5.x but not sure of unintended consequences.
Are you suggesting something other than 1:1 is more suitable.
-
Yeah, 1:1 NAT is 1:1 NAT, not 1:4 NAT or 4:1 NAT.
I'm not sure what to tell you. What you want is pretty much not going to happen. You are going to need a public for every gamebox if you really need all incoming ports forwarded to one place.
Most ISPs just assign a public IP address to the customer edge and let them and their edge devices worry about it. Almost nobody has more than 1 public IP address.
Sounds like you're a WISP. Just get more addresses.
 -
You're correct I operate a WISP. Not doing 1:4 nat. Doing multiple 1:1 nats on a common subnet. Bridging the AP's reduces security substantially. Each customer (premises) gets one public IP so I am doing as you suggest, assigning one to the customer edge. I can't get as many addresses as I want. Too many IP's not used for public internet access violates the contract with our carrier. I'm trying to be proactive and avoid this as I setup a restructured router to fiber so I can begin moving users to it. Thanks for sharing your ideas.
-
All of your infrastructure should be on one or more VLANs with the customer bridges - the actual access network/SSID - being on others.
Looks like Ubiquiti gear from what you have said. Should be no problem doing that. What's the issue there?
1:1 NAT does not require that the last octet match. It just means that if you have a range of 64 addresses it has to translate to a range of 64 addresses. You can translate 64-127 to 128-191. You can make, say, a 192.168.2.0/23 and 1:1 NAT to 192.168.2.0 using 192.168.3.0 for infrastructure.
Lots of ways to do it.
Sounds like you really have a layer 2 problem, not a pfSense/layer 3 problem.
