Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    (S/D)NAT routed IPs possible?

    NAT
    2
    15
    7713
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      hexa last edited by

      I have C/24 class routed to pfsense box on /29 WAN subnet.
      I've added that C class to OPTX so I suppose it's routed there. (If pf allows it ;-)
      Now i wonder wether it is possible to use one of IPs from this routed C/24 class for DNAT or SNAT?

      I tried using CARP IPs and SNAT rules so packets got out with the correct SNATed IP but tcpdump didn't show them on LAN interface. Looks like they didn't get de-SNATed. :-) Maybe they got routed to OPTX?

      Thanks for taking the time to read this.

      1 Reply Last reply Reply Quote 0
      • GruensFroeschli
        GruensFroeschli last edited by

        To understand you right:
        You have a /29 WAN.
        Do you actually have all availlable 5 IP's?
        And you are trying to NAT one of these IP's to a machine in your /24 subnet?

        We do what we must, because we can.

        Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

        1 Reply Last reply Reply Quote 0
        • H
          hexa last edited by

          I have /29 WAN and another Internet/WAN/24 class routed to one of the WAN/29 IPs.

          WAN/29 (on WAN port)
          1.x.x.1 (upstream gateway)
          1.x.x.2 (IP to which C/24 class is routed. Also CARP IP of two pfsense boxes)
          1.x.x.3 pfsense #1
          1.x.x.4 pfsense #2
          1.x.x.5 (reserver for somth else)
          1.x.x.6 (reserved for somth else)
          1.x.x.7 (broadcast)

          SNATED lan /16
          x.x.x.1 (gw for my LAN, CARP IP)
          x.x.x.3 pfsense #1
          x.x.x.4 pfsense #2
          x.x.X.X other lan users going out thru x.x.x.1

          OPTX or routed C/24 class
          2.x.x.1 (gw for machines in this network interface on this class. Also CARP IP)
          2.x.x.3 pfsense #1
          2.x.x.4 pfsense #2
          …...... servers with external IPs behind pfsense firewall
          2.x.x.255 broadcast

          So i have available 253 IPs from that /24 C class (they are routed to pfsense CARP IP on WAN/29) and 5 IPs from that /29 class. We call /29 the connecting segment.

          Now i want to be able to use one from /24 C class IPs otherwise routed to OPTX for S/DNAT rules to my LAN. For example when LAN users go out they should get let's say 2.x.x.10 IP from that /24 routed C class. By default they get SNATed to one IP from that /29 WAN subnet. I'm sure it would work with IPs from that /29 WAN connecting segment but I want to use IPs from that /24 C class. Is this possible?
          Later on i'll create OPTXY (SERV LAN) to which i will/would like DNAT some of the IPs from this otherwise routed /24 C class.

          I hope i explained myself good enough. :-) I appreciate your response so much and thanks for the quick reply.

          1 Reply Last reply Reply Quote 0
          • GruensFroeschli
            GruensFroeschli last edited by

            I'm not sure i understand you right.

            You want outbound NAT but with an IP from another subnet?
            I'm not sure this is possible.

            internet
                            ¦
                WAN  /29-subnet
                      pfSense  OPT1  /24-subnet
                LAN private /16 subnet

            It would require traffic from the LAN to leave via the /24-interface, reenter on the same interface and then get routed over the /29 interface.

            But i'm sure you could do that with 2 pfSense's.
            like this:

            internet
                            ¦
                WAN  /29-subnet
                      pfSense
                LAN /24-subnet
                            ¦
                            ¦
                            ¦
                WAN member of /24 subnet
                            pfSense
                LAN private /16 subnet

            But that's probably not what you want.

            What you could "try".
            1:1 NAT one of the IP's from the LAN to one of the IP's from the /24 subnet.
            Then try to access something outside you can control and look what the source IP is.
            It "should" be one out of the /24 subnet (traffic going out the OPT1, reentering and then leave via WAN).

            We do what we must, because we can.

            Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

            1 Reply Last reply Reply Quote 0
            • H
              hexa last edited by

              Thank you for your response.

              So the answer is NO, it is not possible to use one of the internet C class IP's routed to PFSENSE's WAN IP to be used for S/DNAT if the whole C class get's routed forward. I'll just use another pfsense cluster for load balancing with DNAT and put it on OPTX where /24 get routed out this one. Will have a little hard time explaining to my boss why we now need 4 firewalls instead of two, who did all of this for 7 year now, but i think it's time for us to move away from command line firewalls/routers. :-)

              1:1 nat would be acceptable for no load balancing DNAT rules maybe, but not for SNAT. I want all LAN network (not just one LAN IP) that goes out WAN with IP from the /24 internet routed class.

              Thank you for your time once more.

              1 Reply Last reply Reply Quote 0
              • GruensFroeschli
                GruensFroeschli last edited by

                But why do you want your private LAN to get NATed to the /24 subnet?
                Why not just use one of the /29 IP's and NAT it over this one?

                We do what we must, because we can.

                Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

                1 Reply Last reply Reply Quote 0
                • H
                  hexa last edited by

                  I might be able to to that for LAN users in LAN to make it all come out IP from connecting /29 segment instead from one of the C/24 class IPs they used to.

                  But for some servers (weather in LAN or OPTXY/SERV) i still need DNAT, 'cause /29 segment just doesn't have enough IPs and 'cause they use certain IPs from that /24 C class (which is routed to pfsense on /29 connecting segment). Also when they go out they need to have be SNATED each to their own IP from that /24 C class (which is routed to pfsense /29).

                  1 Reply Last reply Reply Quote 0
                  • H
                    hexa last edited by

                    Addition: I just tried with LAN first, 'cause if it works there it will work for the SERV LAN too. I wanted to keep description of a problem as short as possible to not discourage others to read it, so i left out the SERVer LAN interface.

                    1 Reply Last reply Reply Quote 0
                    • GruensFroeschli
                      GruensFroeschli last edited by

                      Couldnt you split your /24 into two /25?

                      The clients in the private /16 subnet get NATed over one of the /29 IP's.
                      pfSense has another one of the /29 IP's
                      The servers can go into one of the /25 subnet and you still have the other /25 subnet free for whatever you want it.
                      Like this your server are in a DMZ and have a public IP and you still have 4 IP's free in the /29

                      We do what we must, because we can.

                      Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

                      1 Reply Last reply Reply Quote 0
                      • H
                        hexa last edited by

                        This is a great suggestion but i have already thought of it.

                        Why it's not for me.
                        If i started from scratch this would probably be the solution even thou i don't like to be constrained in this way. But unfortunately the servers are already on this C class and they are all over the C class. Some of the IPs are DNATED and some not (my old solution allowed that). So it would require to change the IP addresses on the servers which are in /25 segment that i would totally dedicate to NAT. In that case I rather buy another two machines than change all those IPs.

                        Just in case if I do it. (On another new C class)
                        I'm just wondering. If i were to set it up like this and split this routed C/24 in to two /25 classes (one for routing forward and one for CARP nat) how would do it? Please advise me.

                        To clarify first part of that C class will be called "a/25" used for S/DNAT and second part that i will route thru will be called "b/25."

                        This is how i would set it up.
                        WAN            -> /29 connecting segment
                        WAN            -> CARP IP for each host from a/25 (for D/SNAT to SERV/OPT1)
                        LAN              -> we know how
                        SERV/OPT1    -> 10.10.0.0/16 (DNATED and SNATED to a/25)
                        ROUTED/OPT2-> b/25

                        To have b/25 routed thru i just add it to OPT2 in the interface configuration (and allow in in packet filter). But to have pfsense able to use a/25 IPs as CARP for NAT, what would i have to to? If i remember correctly it won't allow me to add CARP IPs for a network segment that's not yet on the WAN interface? Or will I be able to just add those IPs from a/25 as CARP to WAN interface? If it's so easy i just might get a new C class, have this new pfsense system running with it an slowly ower the years migrate machines from old classes and firewalles to pfsense.

                        1 Reply Last reply Reply Quote 0
                        • H
                          hexa last edited by

                          Forgot to say thank you. :-) Thanks for suggestion.

                          1 Reply Last reply Reply Quote 0
                          • H
                            hexa last edited by

                            I was correct. This setup is not possible for now. :-) I get the error.

                            "Sorry, we could not locate an interface with a matching subnet for a/25. Please add an ip in this subnet on a real interface."

                            How can i add another real subnet to WAN interface?

                            1 Reply Last reply Reply Quote 0
                            • GruensFroeschli
                              GruensFroeschli last edited by

                              You can add them with PARP or if you just want to 1:1 NAT to a server behind with an "other" VIP.

                              More infos to the various VIP's:
                              http://forum.pfsense.org/index.php/topic,3987.msg24632.html#msg24632

                              We do what we must, because we can.

                              Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

                              1 Reply Last reply Reply Quote 0
                              • H
                                hexa last edited by

                                Won't using Proxy ARP IPs leave me with non redundant install? Like, CARP IPs will migrate to active firewall while proxy ARP won't. Can i have the same Proxy ARP on the two firewalls at the same time maybe?

                                Maybe i should just try it and stop with all the questions. :-)

                                1 Reply Last reply Reply Quote 0
                                • H
                                  hexa last edited by

                                  O.K. I solved this. Didn't have to split my C/24 afterall! I route it thru but for certain IPs i redirect the traffic with S/DNAT rules to SERV and LAN. This can be achieved with combination of different netmasks for VIPs.
                                  So the answer to my top post is YES. :-)

                                  Thank you all for your help. :-)

                                  1 Reply Last reply Reply Quote 0
                                  • First post
                                    Last post