(S/D)NAT routed IPs possible?



  • I have C/24 class routed to pfsense box on /29 WAN subnet.
    I've added that C class to OPTX so I suppose it's routed there. (If pf allows it ;-)
    Now i wonder wether it is possible to use one of IPs from this routed C/24 class for DNAT or SNAT?

    I tried using CARP IPs and SNAT rules so packets got out with the correct SNATed IP but tcpdump didn't show them on LAN interface. Looks like they didn't get de-SNATed. :-) Maybe they got routed to OPTX?

    Thanks for taking the time to read this.



  • To understand you right:
    You have a /29 WAN.
    Do you actually have all availlable 5 IP's?
    And you are trying to NAT one of these IP's to a machine in your /24 subnet?



  • I have /29 WAN and another Internet/WAN/24 class routed to one of the WAN/29 IPs.

    WAN/29 (on WAN port)
    1.x.x.1 (upstream gateway)
    1.x.x.2 (IP to which C/24 class is routed. Also CARP IP of two pfsense boxes)
    1.x.x.3 pfsense #1
    1.x.x.4 pfsense #2
    1.x.x.5 (reserver for somth else)
    1.x.x.6 (reserved for somth else)
    1.x.x.7 (broadcast)

    SNATED lan /16
    x.x.x.1 (gw for my LAN, CARP IP)
    x.x.x.3 pfsense #1
    x.x.x.4 pfsense #2
    x.x.X.X other lan users going out thru x.x.x.1

    OPTX or routed C/24 class
    2.x.x.1 (gw for machines in this network interface on this class. Also CARP IP)
    2.x.x.3 pfsense #1
    2.x.x.4 pfsense #2
    …...... servers with external IPs behind pfsense firewall
    2.x.x.255 broadcast

    So i have available 253 IPs from that /24 C class (they are routed to pfsense CARP IP on WAN/29) and 5 IPs from that /29 class. We call /29 the connecting segment.

    Now i want to be able to use one from /24 C class IPs otherwise routed to OPTX for S/DNAT rules to my LAN. For example when LAN users go out they should get let's say 2.x.x.10 IP from that /24 routed C class. By default they get SNATed to one IP from that /29 WAN subnet. I'm sure it would work with IPs from that /29 WAN connecting segment but I want to use IPs from that /24 C class. Is this possible?
    Later on i'll create OPTXY (SERV LAN) to which i will/would like DNAT some of the IPs from this otherwise routed /24 C class.

    I hope i explained myself good enough. :-) I appreciate your response so much and thanks for the quick reply.



  • I'm not sure i understand you right.

    You want outbound NAT but with an IP from another subnet?
    I'm not sure this is possible.

    internet
                    ¦
        WAN  /29-subnet
              pfSense  OPT1  /24-subnet
        LAN private /16 subnet

    It would require traffic from the LAN to leave via the /24-interface, reenter on the same interface and then get routed over the /29 interface.

    But i'm sure you could do that with 2 pfSense's.
    like this:

    internet
                    ¦
        WAN  /29-subnet
              pfSense
        LAN /24-subnet
                    ¦
                    ¦
                    ¦
        WAN member of /24 subnet
                    pfSense
        LAN private /16 subnet

    But that's probably not what you want.

    What you could "try".
    1:1 NAT one of the IP's from the LAN to one of the IP's from the /24 subnet.
    Then try to access something outside you can control and look what the source IP is.
    It "should" be one out of the /24 subnet (traffic going out the OPT1, reentering and then leave via WAN).



  • Thank you for your response.

    So the answer is NO, it is not possible to use one of the internet C class IP's routed to PFSENSE's WAN IP to be used for S/DNAT if the whole C class get's routed forward. I'll just use another pfsense cluster for load balancing with DNAT and put it on OPTX where /24 get routed out this one. Will have a little hard time explaining to my boss why we now need 4 firewalls instead of two, who did all of this for 7 year now, but i think it's time for us to move away from command line firewalls/routers. :-)

    1:1 nat would be acceptable for no load balancing DNAT rules maybe, but not for SNAT. I want all LAN network (not just one LAN IP) that goes out WAN with IP from the /24 internet routed class.

    Thank you for your time once more.



  • But why do you want your private LAN to get NATed to the /24 subnet?
    Why not just use one of the /29 IP's and NAT it over this one?



  • I might be able to to that for LAN users in LAN to make it all come out IP from connecting /29 segment instead from one of the C/24 class IPs they used to.

    But for some servers (weather in LAN or OPTXY/SERV) i still need DNAT, 'cause /29 segment just doesn't have enough IPs and 'cause they use certain IPs from that /24 C class (which is routed to pfsense on /29 connecting segment). Also when they go out they need to have be SNATED each to their own IP from that /24 C class (which is routed to pfsense /29).



  • Addition: I just tried with LAN first, 'cause if it works there it will work for the SERV LAN too. I wanted to keep description of a problem as short as possible to not discourage others to read it, so i left out the SERVer LAN interface.



  • Couldnt you split your /24 into two /25?

    The clients in the private /16 subnet get NATed over one of the /29 IP's.
    pfSense has another one of the /29 IP's
    The servers can go into one of the /25 subnet and you still have the other /25 subnet free for whatever you want it.
    Like this your server are in a DMZ and have a public IP and you still have 4 IP's free in the /29



  • This is a great suggestion but i have already thought of it.

    Why it's not for me.
    If i started from scratch this would probably be the solution even thou i don't like to be constrained in this way. But unfortunately the servers are already on this C class and they are all over the C class. Some of the IPs are DNATED and some not (my old solution allowed that). So it would require to change the IP addresses on the servers which are in /25 segment that i would totally dedicate to NAT. In that case I rather buy another two machines than change all those IPs.

    Just in case if I do it. (On another new C class)
    I'm just wondering. If i were to set it up like this and split this routed C/24 in to two /25 classes (one for routing forward and one for CARP nat) how would do it? Please advise me.

    To clarify first part of that C class will be called "a/25" used for S/DNAT and second part that i will route thru will be called "b/25."

    This is how i would set it up.
    WAN            -> /29 connecting segment
    WAN            -> CARP IP for each host from a/25 (for D/SNAT to SERV/OPT1)
    LAN              -> we know how
    SERV/OPT1    -> 10.10.0.0/16 (DNATED and SNATED to a/25)
    ROUTED/OPT2-> b/25

    To have b/25 routed thru i just add it to OPT2 in the interface configuration (and allow in in packet filter). But to have pfsense able to use a/25 IPs as CARP for NAT, what would i have to to? If i remember correctly it won't allow me to add CARP IPs for a network segment that's not yet on the WAN interface? Or will I be able to just add those IPs from a/25 as CARP to WAN interface? If it's so easy i just might get a new C class, have this new pfsense system running with it an slowly ower the years migrate machines from old classes and firewalles to pfsense.



  • Forgot to say thank you. :-) Thanks for suggestion.



  • I was correct. This setup is not possible for now. :-) I get the error.

    "Sorry, we could not locate an interface with a matching subnet for a/25. Please add an ip in this subnet on a real interface."

    How can i add another real subnet to WAN interface?



  • You can add them with PARP or if you just want to 1:1 NAT to a server behind with an "other" VIP.

    More infos to the various VIP's:
    http://forum.pfsense.org/index.php/topic,3987.msg24632.html#msg24632



  • Won't using Proxy ARP IPs leave me with non redundant install? Like, CARP IPs will migrate to active firewall while proxy ARP won't. Can i have the same Proxy ARP on the two firewalls at the same time maybe?

    Maybe i should just try it and stop with all the questions. :-)



  • O.K. I solved this. Didn't have to split my C/24 afterall! I route it thru but for certain IPs i redirect the traffic with S/DNAT rules to SERV and LAN. This can be achieved with combination of different netmasks for VIPs.
    So the answer to my top post is YES. :-)

    Thank you all for your help. :-)


Log in to reply