1. Home
  2. pfSense® Software
  3. NAT
  4. Local 1 : 1 NAT

Local 1 : 1 NAT

  • F

    on my switches i put all client ports into "protected mode"
    the vlans are (currently) assigned via mac (hopefully i will use certificates/radius later)
    the protected port mode stops layer2 traffic between the protected ports - that way a client-PC can not connect to another PC in the same vlan/net  but can connect to the servers and gateways
    (this avoids/makes harder attacks like "arp poisoning"/"pass the hash"/.. )

    thats fine for almost all applications (as far as i can foresee)

    but there is one vlan that needs to communicate with clients in the same net (using a handful of fixed ports)

    i would like to keep all client side- ports in the "protected mode" so anyone can put a device into any (client side) port and automatically gets the correct vlan

    so i need to circumvent the protection for this specific vlan

    my idea was this:
    client (ip: 10.11.12.13/24) wants to connect to 10.11.12.14
    client connects to 10.11.13.14 (this ip is not in the client routing table) and will be routed to the pfsense gateway
    in pfsense i do a 1:1 NAT so the 10.11.13.14 ip is converted to 10.11.12.14 and goes back to the wanted client

    but sadly i failed to accomplish this
    it could be i am mistaken in whats possible/sane for such a scenario

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

© 2020 Rubicon Communications, LLC | Privacy Policy