Maintain Production IP's within Staging Environment



  • Hi,

    I have been tasked with creating a staging environment for VM's by my employer. I've cloned all three machines. I would like them to maintain the same IP address scheme and be able to communicate with one another.

    IP Scheme

    Server A: 192.168.193.x
    Server B: 192.168.193.x

    How can I prevent the IP's above from conflicting with the production IP's which are on the same subnet? Is there a way to mask the IP's  of the cloned VM's using pFsense from the internal network? Also, I would like to access the staging servers that are behind the pFsense router from a production client. Is this possible?

    Appreciate any feedback provided.

    Thank you!



  • It depends mostly on what you mean by "I would like to access the staging servers that are behind the pFsense router from a production client."

    If you want to be able to sit at your computer on the production network and use production IPs to talk to staging servers, then I think your only real choice is to set up a VPN into the staging network. (Well, you could also just change what network you're plugged into or use a different VLAN, but I imagine you don't want to do something so manual.) An added bonus of this is that it is impossible for you to accidentally access the production network while using the staging VPN. The downside is if you forget to start your VPN, you might not notice you're actually connected to the production network. (Either way, I'd plan to make it obvious what network you're on.

    If you normally access the servers through the firewall (IE: using forwarded ports), then there shouldn't be any change at all assuming the production pfSense uses a different WAN IP than the staging one.

    I think if you want concrete recommendations though, we need to know more about how your network is set up. (I'd also wonder why you're insisting on using the same IP addressing scheme, seems like asking for trouble to me.)


  • Netgate

    Yeah. Just put them behind something else that NATs for them if they need internet access. Otherwise just put them on a blank VLAN or a host-only vswitch.

    You are going to have to really be careful if you want to access one 192.168.193 network from the "real" 192.168.193 network.

    And you won't be able to just tell a host on the "real" 192.168.193 network to access something on the test 192.168.193 network using that address. I know of no way that can be done while also maintaining separation between the two.