• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Help a newbie with routing

Scheduled Pinned Locked Moved NAT
6 Posts 2 Posters 710 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • W
    whizzy
    last edited by Nov 25, 2017, 12:07 AM

    Hey, Newbie here with a virgin setup. Be gentle. Looked around and didn't see a config like this one.

    I have one WAN with 4 static IP's, one gateway. Only using 3 of the 4 external IP's for now. And one LAN interface (192.168.1.1/24).
    Lets say, for example the three external IP's are 100.100.100.2, 100.100.100.3, and 100.100.100.4. Gateway is 100.100.100.1
    I have assigned each IP a virtual IP. Here is how I want traffic directed
    100.100.100.2 to 192.168.1.100, 192.168.1.101, and 192.168.1.102
    100.100.100.3 to 192.168.1.40
    100.100.100.4 to 192.168.1.50

    192.168.1.100, 192.168.1.101, and 192.168.1.102 are all on the same server and NIC which runs 3 different apps all needing their own IP's

    And I want the remainder of the LAN subnet for workstations. One WAN and One LAN interface on the pf box  The LAN is on one switch going to all the servers and workstations. The WAN goes to the ISP modem.

    The real issue for me is whether I use NAT and how to set that up directing one external IP to multiple IP's on the same subnet as the rest of the LAN.

    If there is a more efficient way of distributing the 192.168.1.1/24 subnet, please share. Thanks in advance.

    1 Reply Last reply Reply Quote 0
    • D
      Derelict LAYER 8 Netgate
      last edited by Nov 25, 2017, 12:24 AM

      You direct inbound connections to internal hosts with port forwards. Firewall > NAT, Port forwards

      You direct outbound connections to be source-translated with outbound NAT. Firewall > NAT, Outbound

      You can use 1:1 NAT to establish a 1:1 mapping of outside-to-inside addresses for connections in both directions. Firewall > NAT, 1:1

      You cannot just make connections to one address go to three different hosts inbound. Not without narrowing it down to specific, unique ports.

      You can make all connections from 192.168.1.100, 192.168.1.101, and 192.168.1.102 to the outside "Masquerade" as 100.100.100.2 using specific outbound NAT rules.

      Probably going to need more details to help more than that.

      Chattanooga, Tennessee, USA
      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
      Do Not Chat For Help! NO_WAN_EGRESS(TM)

      1 Reply Last reply Reply Quote 0
      • W
        whizzy
        last edited by Nov 25, 2017, 11:36 PM

        Thanks for the info.
        Using the three internal IP's all connected to 100.100.100.2, they do have unique ports for each IP.
        192.168.1.100 uses port 6060,6443 - Port Alias 'APP1'
        192.168.1.101 uses port 80,111,443,993 - Port Alias 'APP2'
        192.168.1.102 uses port 25,465,2525 - Port Alias 'APP3'
        For my other servers on the 192.168.1.1/24 subnet I know I can just use NAT 1:1 for mapping an external IP to an internal IP.

        My confusion is how to setup 192.168.1.100-102 on one external IP. So for those, I assume I do not need NAT 1:1 just three port forwards with port aliases and Manual Outbound NAT for each Internal IP to the same virtual IP.
        Now there is already an auto created Outbound NAT rule with 192.168.1.0/24 as the source and the WAN address as the redirector. Will this clash with the other Outbound NAT rules I need to create?
        Thanks

        1 Reply Last reply Reply Quote 0
        • D
          Derelict LAYER 8 Netgate
          last edited by Nov 26, 2017, 12:39 AM

          Just port forward them in…

          Firewall > NAT, Port Forward

          Protocol: TCP
          Source Address: any
          Source Ports: any
          Dest Address: 100.100.100.2
          Dest Ports: Other: APP1
          NAT Address: 192.168.1.100
          NAT Ports: Other: APP1

          Protocol: TCP
          Source Address: any
          Source Ports: any
          Dest Address: 100.100.100.2
          Dest Ports: Other: APP2
          NAT Address: 192.168.1.101
          NAT Ports: Other: APP2

          Protocol: TCP
          Source Address: any
          Source Ports: any
          Dest Address: 100.100.100.2
          Dest Ports: Other: APP3
          NAT Address: 192.168.1.102
          NAT Ports: Other: APP3

          To do multiple ports (that are not a contiguous range) you have to use an alias for the ports and it has to be the same alias on the Dest Ports and NAT Ports.

          The port forward entry can automatically add the necessary rules on the outside interface to pass the traffic. The end result needs to be:

          Pass any traffic to address 192.168.1.100 ports APP1
          Pass any traffic to address 192.168.1.101 ports APP2
          Pass any traffic to address 192.168.1.102 ports APP3

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • W
            whizzy
            last edited by Nov 27, 2017, 10:14 PM

            Thanks! Do I also need to add outbound NAT? I already have one with 192.168.1.0/24 as source and the WAN address as the NAT Address.

            Also, I have one other server to add with only one local and one external IP. Is it better to use NAT 1:1 or just use another Port Forward?

            You were a huge help. Thanks again.

            1 Reply Last reply Reply Quote 0
            • D
              Derelict LAYER 8 Netgate
              last edited by Nov 28, 2017, 12:53 AM

              You only need outbound NAT if you care what IP addresses are used by those servers for connections they INITIATE outbound.

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              2 out of 6
              • First post
                2/6
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                This community forum collects and processes your personal information.
                consent.not_received