(S/D)NAT routed IPs possible?

hexa

I have C/24 class routed to pfsense box on /29 WAN subnet.
I've added that C class to OPTX so I suppose it's routed there. (If pf allows it ;-)
Now i wonder wether it is possible to use one of IPs from this routed C/24 class for DNAT or SNAT?

I tried using CARP IPs and SNAT rules so packets got out with the correct SNATed IP but tcpdump didn't show them on LAN interface. Looks like they didn't get de-SNATed. :-) Maybe they got routed to OPTX?

Thanks for taking the time to read this.

GruensFroeschli

To understand you right:
You have a /29 WAN.
Do you actually have all availlable 5 IP's?
And you are trying to NAT one of these IP's to a machine in your /24 subnet?

hexa

I have /29 WAN and another Internet/WAN/24 class routed to one of the WAN/29 IPs.

WAN/29 (on WAN port)
1.x.x.1 (upstream gateway)
1.x.x.2 (IP to which C/24 class is routed. Also CARP IP of two pfsense boxes)
1.x.x.3 pfsense #1
1.x.x.4 pfsense #2
1.x.x.5 (reserver for somth else)
1.x.x.6 (reserved for somth else)
1.x.x.7 (broadcast)

SNATED lan /16
x.x.x.1 (gw for my LAN, CARP IP)
x.x.x.3 pfsense #1
x.x.x.4 pfsense #2
x.x.X.X other lan users going out thru x.x.x.1

OPTX or routed C/24 class
2.x.x.1 (gw for machines in this network interface on this class. Also CARP IP)
2.x.x.3 pfsense #1
2.x.x.4 pfsense #2
…...... servers with external IPs behind pfsense firewall
2.x.x.255 broadcast

So i have available 253 IPs from that /24 C class (they are routed to pfsense CARP IP on WAN/29) and 5 IPs from that /29 class. We call /29 the connecting segment.

Now i want to be able to use one from /24 C class IPs otherwise routed to OPTX for S/DNAT rules to my LAN. For example when LAN users go out they should get let's say 2.x.x.10 IP from that /24 routed C class. By default they get SNATed to one IP from that /29 WAN subnet. I'm sure it would work with IPs from that /29 WAN connecting segment but I want to use IPs from that /24 C class. Is this possible?
Later on i'll create OPTXY (SERV LAN) to which i will/would like DNAT some of the IPs from this otherwise routed /24 C class.

I hope i explained myself good enough. :-) I appreciate your response so much and thanks for the quick reply.

GruensFroeschli

I'm not sure i understand you right.

You want outbound NAT but with an IP from another subnet?
I'm not sure this is possible.

internet
¦
WAN /29-subnet
pfSense OPT1 /24-subnet
LAN private /16 subnet

It would require traffic from the LAN to leave via the /24-interface, reenter on the same interface and then get routed over the /29 interface.

But i'm sure you could do that with 2 pfSense's.
like this:

internet
¦
WAN /29-subnet
pfSense
LAN /24-subnet
¦
¦
¦
WAN member of /24 subnet
pfSense
LAN private /16 subnet

But that's probably not what you want.

What you could "try".
1:1 NAT one of the IP's from the LAN to one of the IP's from the /24 subnet.
Then try to access something outside you can control and look what the source IP is.
It "should" be one out of the /24 subnet (traffic going out the OPT1, reentering and then leave via WAN).

hexa

Thank you for your response.

So the answer is NO, it is not possible to use one of the internet C class IP's routed to PFSENSE's WAN IP to be used for S/DNAT if the whole C class get's routed forward. I'll just use another pfsense cluster for load balancing with DNAT and put it on OPTX where /24 get routed out this one. Will have a little hard time explaining to my boss why we now need 4 firewalls instead of two, who did all of this for 7 year now, but i think it's time for us to move away from command line firewalls/routers. :-)

1:1 nat would be acceptable for no load balancing DNAT rules maybe, but not for SNAT. I want all LAN network (not just one LAN IP) that goes out WAN with IP from the /24 internet routed class.

Thank you for your time once more.

GruensFroeschli

But why do you want your private LAN to get NATed to the /24 subnet?
Why not just use one of the /29 IP's and NAT it over this one?

hexa

I might be able to to that for LAN users in LAN to make it all come out IP from connecting /29 segment instead from one of the C/24 class IPs they used to.

But for some servers (weather in LAN or OPTXY/SERV) i still need DNAT, 'cause /29 segment just doesn't have enough IPs and 'cause they use certain IPs from that /24 C class (which is routed to pfsense on /29 connecting segment). Also when they go out they need to have be SNATED each to their own IP from that /24 C class (which is routed to pfsense /29).

hexa

Addition: I just tried with LAN first, 'cause if it works there it will work for the SERV LAN too. I wanted to keep description of a problem as short as possible to not discourage others to read it, so i left out the SERVer LAN interface.

GruensFroeschli

Couldnt you split your /24 into two /25?

The clients in the private /16 subnet get NATed over one of the /29 IP's.
pfSense has another one of the /29 IP's
The servers can go into one of the /25 subnet and you still have the other /25 subnet free for whatever you want it.
Like this your server are in a DMZ and have a public IP and you still have 4 IP's free in the /29

hexa

This is a great suggestion but i have already thought of it.

Why it's not for me.
If i started from scratch this would probably be the solution even thou i don't like to be constrained in this way. But unfortunately the servers are already on this C class and they are all over the C class. Some of the IPs are DNATED and some not (my old solution allowed that). So it would require to change the IP addresses on the servers which are in /25 segment that i would totally dedicate to NAT. In that case I rather buy another two machines than change all those IPs.

Just in case if I do it. (On another new C class)
I'm just wondering. If i were to set it up like this and split this routed C/24 in to two /25 classes (one for routing forward and one for CARP nat) how would do it? Please advise me.

To clarify first part of that C class will be called "a/25" used for S/DNAT and second part that i will route thru will be called "b/25."

This is how i would set it up.
WAN -> /29 connecting segment
WAN -> CARP IP for each host from a/25 (for D/SNAT to SERV/OPT1)
LAN -> we know how
SERV/OPT1 -> 10.10.0.0/16 (DNATED and SNATED to a/25)
ROUTED/OPT2-> b/25

To have b/25 routed thru i just add it to OPT2 in the interface configuration (and allow in in packet filter). But to have pfsense able to use a/25 IPs as CARP for NAT, what would i have to to? If i remember correctly it won't allow me to add CARP IPs for a network segment that's not yet on the WAN interface? Or will I be able to just add those IPs from a/25 as CARP to WAN interface? If it's so easy i just might get a new C class, have this new pfsense system running with it an slowly ower the years migrate machines from old classes and firewalles to pfsense.

hexa

Forgot to say thank you. :-) Thanks for suggestion.

hexa

I was correct. This setup is not possible for now. :-) I get the error.

"Sorry, we could not locate an interface with a matching subnet for a/25. Please add an ip in this subnet on a real interface."

How can i add another real subnet to WAN interface?

GruensFroeschli

You can add them with PARP or if you just want to 1:1 NAT to a server behind with an "other" VIP.

More infos to the various VIP's:
http://forum.pfsense.org/index.php/topic,3987.msg24632.html#msg24632

hexa

Won't using Proxy ARP IPs leave me with non redundant install? Like, CARP IPs will migrate to active firewall while proxy ARP won't. Can i have the same Proxy ARP on the two firewalls at the same time maybe?

Maybe i should just try it and stop with all the questions. :-)

hexa

O.K. I solved this. Didn't have to split my C/24 afterall! I route it thru but for certain IPs i redirect the traffic with S/DNAT rules to SERV and LAN. This can be achieved with combination of different netmasks for VIPs.
So the answer to my top post is YES. :-)

Thank you all for your help. :-)