Addressing/NAT/Routing question



  • My setup looks like:

    WAN
            |
      –--------
      |          |
    LAN    P175

    The WAN is the Internet connection, the LAN has a 204.x.x.x/25 subnet, and P175 has private addresses in the 192.168.175.0/24 range.

    Can I put a server on P175 and assign it a 204. address via NAT?  I don't need it directly accessible from the Internet but I do need it accessible from the LAN segment.

    From the LAN I can ping the 192 address OK but not the 204 address I NATted.

    Thanks



  • http://forum.pfsense.org/index.php/topic,7001.0.html
    enable NAT reflection.

    However if you access your other server via a name it would be better if you set up splitDNS
    (see the above link for this too)



  • I have disabled NAT reflection, but the error I get is a "no route to host" from the LAN segment to a 204. address in P175.

    I'm guessing that it doesn't like having an IP address from the same subnet (LAN) on a different subnet (P175) - it expects it to be in the same subnet.

    When I sniff on the LAN interface all I see is arp requests that don't get answered.



  • Ah sorry.
    You have the 204 subnet on the LAN itself.
    I though you have this subnet on the WAN.

    Hmmm.
    What you could try:
    Add a virtual IP to your LAN interface (firewall–> virtual IPs)
    Then create a port-forward from this VIP to the P175 subnet.

    I never actually tried this, but it "should" work.



  • The WAN has a 208.x.x.x/29 address from the ISP and I have a 204.x.x.87 vIP on that interface so I can't create one on the LAN interface also.

    What seems to be a/the solution is to add a static route on the LAN side (route add 204.x.x.87 gw 204.x.x.1) which sends packets to .87 to the LAN interface which then sends them over to the P175 subnet because that LAN interface knows about it.  Otherwise the traffic seems to get stuck on the LAN because nobody on that subnet has the .87 address.

    I'll try your suggestion also since that would eliminate the need for a static route on the source machines.

    Thanks,

    Peter


Log in to reply