Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    SOLVED - NAT 1:1 between VLANs over a Virtual IP

    Scheduled Pinned Locked Moved NAT
    8 Posts 4 Posters 2.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      NekoSama
      last edited by

      Hello Guys,
      Im pretty new working with pfsense, and i have a very noob problem that i cant solve, so im here asking help to the smarter guys.
      My problem is:
      I have 2 vlans, lets call them vlan 1 and 2, and my PFsense has an interface in each VLAN. (graphic attach)
      VLAN 2 has a server, and VLAN 1 has many PCs.
      Every PC from vlan 1 has to have full access to that server.

      For that reason I create a virtual IP in VLAN 1, and that VIP should redirect all the the trafic to the server in VLAN 2, so every PC in VLAN 1 interacts with the server like its real IP is the VIP.
      I attached a pic to clarify a little more.

      And here is where im stuck, i have read many posts but im not sure to do a NAT 1:1 or a forwarding, what rules to make, etc.

      I hope i could explained my self and my english wasnt that bad.
      Thx for your help.

      EDIT: Pic added
      pfsense.jpg
      pfsense.jpg_thumb

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        Why would you do this?  Just allow the firewall rules to access what you want in the other vlan - there is no reason to nat between lan network.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • N
          NekoSama
          last edited by

          I think i cant do that.
          VLAN 1 and VLAN 2 are in different subnets, and my pfsense is not the default GW in the PCs of VLAN 1.

          My PC from VLAN 1 dont know how to reach the server, nor my default GW.

          So I thought i could use a Virtual IP with in the reach of the VLAN 1 clients, and redirect the traffic to the server in VLAN 2.

          Its possible or im complicating things?

          PD. I added the graphic at the first post.

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            "pfsense is not the default GW in the PCs of VLAN 1."

            Is pfsense the default gw for the server?  If so you would do a port forward picking your vip you created as dest.  If your servers gateway is not pfsense, then you would also have to do a outbound nat.

            Or you could just create host routes on your PCs that say to get to vlan of the server talk to pfsense IP address in vlan 1.  Couple of different ways to skin that cat.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • N
              NekoSama
              last edited by

              Yep, i get your point and i have thought about that, but i got some limitation in what i can do in this lan.

              The solution I told you, is it posible? I mean: use a Virtual IP that redirect the traffic to the server in vlan 2. Is that posible?

              The idea is this: the PCs in VLAN 1 has a soft that needs to reach the server in VLAN 2, so if the VIP redirects the traffic to the server, I just have to put the Virtual IP in the soft. From soft perspective the server is in the same VLAN and subnet than the clients.

              I want to tell the people "put this ip in the soft and it will reach the server", just using pfsense and without touching clients (PCs) or server.
              Its possible or Im nuts?
              Maybe im too newbie and what im saying its more magic than routing…

              Thx for your patience in helping me with this.

              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by

                Put a 1:1 NAT on the X.X.96.2 interface.

                External IP: X.X.96.20
                Internal IP: Single Host: X.X.28.3

                Firewall rules on the X.X.96.2 interface need to pass desired traffic to the X.X.28.3 destination address.

                X.X.28.3 needs to know to route traffic for X.X.96.0/24 back to pfSense. (Guessing on the subnet since it was unspecified.)

                PCs use X.X.96.20 as the address of the server.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • N
                  NekoSama
                  last edited by

                  Thx Derelict, it worked like a charm.
                  I'm currently dealing with some problems with ports and protocols, but I think I can handle those.
                  Thx again for the help and patience.

                  1 Reply Last reply Reply Quote 0
                  • C
                    coro200
                    last edited by

                    Hi Derelict!
                    I am in the exact same situation as NekoSema and tried to solve it the same way, before stumbling upon this thread.
                    I already did what you said, except for:

                    "X.X.28.3 needs to know to route traffic for X.X.96.0/24 back to pfSense. (Guessing on the subnet since it was unspecified.)"

                    I don't know how to accomplish that. I thought it might be a static route, but I don't know how to define it.
                    I know this thread is old, but it is the exact description of the situation that I am facing.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.