4. Local 1 : 1 NAT

Local 1 : 1 NAT

  • F

    on my switches i put all client ports into "protected mode"
    the vlans are (currently) assigned via mac (hopefully i will use certificates/radius later)
    the protected port mode stops layer2 traffic between the protected ports - that way a client-PC can not connect to another PC in the same vlan/net  but can connect to the servers and gateways
    (this avoids/makes harder attacks like "arp poisoning"/"pass the hash"/.. )

    thats fine for almost all applications (as far as i can foresee)

    but there is one vlan that needs to communicate with clients in the same net (using a handful of fixed ports)

    i would like to keep all client side- ports in the "protected mode" so anyone can put a device into any (client side) port and automatically gets the correct vlan

    so i need to circumvent the protection for this specific vlan

    my idea was this:
    client (ip: 10.11.12.13/24) wants to connect to 10.11.12.14
    client connects to 10.11.13.14 (this ip is not in the client routing table) and will be routed to the pfsense gateway
    in pfsense i do a 1:1 NAT so the 10.11.13.14 ip is converted to 10.11.12.14 and goes back to the wanted client

    but sadly i failed to accomplish this
    it could be i am mistaken in whats possible/sane for such a scenario

    0
 

Products

Applications

Support

Services

News

Resources

Company

Our Mission

As host of the pfSense open source firewall project, Netgate believes in enhancing network connectivity that maintains both security and privacy. We also believe everyone should be able to afford it.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy