Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Local 1 : 1 NAT

    Scheduled Pinned Locked Moved NAT
    1 Posts 1 Posters 468 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      Falko
      last edited by

      on my switches i put all client ports into "protected mode"
      the vlans are (currently) assigned via mac (hopefully i will use certificates/radius later)
      the protected port mode stops layer2 traffic between the protected ports - that way a client-PC can not connect to another PC in the same vlan/net  but can connect to the servers and gateways
      (this avoids/makes harder attacks like "arp poisoning"/"pass the hash"/.. )

      thats fine for almost all applications (as far as i can foresee)

      but there is one vlan that needs to communicate with clients in the same net (using a handful of fixed ports)

      i would like to keep all client side- ports in the "protected mode" so anyone can put a device into any (client side) port and automatically gets the correct vlan

      so i need to circumvent the protection for this specific vlan

      my idea was this:
      client (ip: 10.11.12.13/24) wants to connect to 10.11.12.14
      client connects to 10.11.13.14 (this ip is not in the client routing table) and will be routed to the pfsense gateway
      in pfsense i do a 1:1 NAT so the 10.11.13.14 ip is converted to 10.11.12.14 and goes back to the wanted client

      but sadly i failed to accomplish this
      it could be i am mistaken in whats possible/sane for such a scenario

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.