Local 1 : 1 NAT



  • on my switches i put all client ports into "protected mode"
    the vlans are (currently) assigned via mac (hopefully i will use certificates/radius later)
    the protected port mode stops layer2 traffic between the protected ports - that way a client-PC can not connect to another PC in the same vlan/net  but can connect to the servers and gateways
    (this avoids/makes harder attacks like "arp poisoning"/"pass the hash"/.. )

    thats fine for almost all applications (as far as i can foresee)

    but there is one vlan that needs to communicate with clients in the same net (using a handful of fixed ports)

    i would like to keep all client side- ports in the "protected mode" so anyone can put a device into any (client side) port and automatically gets the correct vlan

    so i need to circumvent the protection for this specific vlan

    my idea was this:
    client (ip: 10.11.12.13/24) wants to connect to 10.11.12.14
    client connects to 10.11.13.14 (this ip is not in the client routing table) and will be routed to the pfsense gateway
    in pfsense i do a 1:1 NAT so the 10.11.13.14 ip is converted to 10.11.12.14 and goes back to the wanted client

    but sadly i failed to accomplish this
    it could be i am mistaken in whats possible/sane for such a scenario