SOLVED - NAT 1:1 between VLANs over a Virtual IP

NekoSama · Jan 24, 2018, 7:49 PM

Hello Guys,
Im pretty new working with pfsense, and i have a very noob problem that i cant solve, so im here asking help to the smarter guys.
My problem is:
I have 2 vlans, lets call them vlan 1 and 2, and my PFsense has an interface in each VLAN. (graphic attach)
VLAN 2 has a server, and VLAN 1 has many PCs.
Every PC from vlan 1 has to have full access to that server.

For that reason I create a virtual IP in VLAN 1, and that VIP should redirect all the the trafic to the server in VLAN 2, so every PC in VLAN 1 interacts with the server like its real IP is the VIP.
I attached a pic to clarify a little more.

And here is where im stuck, i have read many posts but im not sure to do a NAT 1:1 or a forwarding, what rules to make, etc.

I hope i could explained my self and my english wasnt that bad.
Thx for your help.

EDIT: Pic added

johnpoz · Jan 24, 2018, 2:38 PM

Why would you do this? Just allow the firewall rules to access what you want in the other vlan - there is no reason to nat between lan network.

NekoSama · Jan 24, 2018, 2:57 PM

I think i cant do that.
VLAN 1 and VLAN 2 are in different subnets, and my pfsense is not the default GW in the PCs of VLAN 1.

My PC from VLAN 1 dont know how to reach the server, nor my default GW.

So I thought i could use a Virtual IP with in the reach of the VLAN 1 clients, and redirect the traffic to the server in VLAN 2.

Its possible or im complicating things?

PD. I added the graphic at the first post.

johnpoz · Jan 24, 2018, 3:17 PM

"pfsense is not the default GW in the PCs of VLAN 1."

Is pfsense the default gw for the server? If so you would do a port forward picking your vip you created as dest. If your servers gateway is not pfsense, then you would also have to do a outbound nat.

Or you could just create host routes on your PCs that say to get to vlan of the server talk to pfsense IP address in vlan 1. Couple of different ways to skin that cat.

NekoSama · Jan 24, 2018, 4:22 PM

Yep, i get your point and i have thought about that, but i got some limitation in what i can do in this lan.

The solution I told you, is it posible? I mean: use a Virtual IP that redirect the traffic to the server in vlan 2. Is that posible?

The idea is this: the PCs in VLAN 1 has a soft that needs to reach the server in VLAN 2, so if the VIP redirects the traffic to the server, I just have to put the Virtual IP in the soft. From soft perspective the server is in the same VLAN and subnet than the clients.

I want to tell the people "put this ip in the soft and it will reach the server", just using pfsense and without touching clients (PCs) or server.
Its possible or Im nuts?
Maybe im too newbie and what im saying its more magic than routing…

Thx for your patience in helping me with this.

Derelict · Jan 24, 2018, 4:35 PM

Put a 1:1 NAT on the X.X.96.2 interface.

External IP: X.X.96.20
Internal IP: Single Host: X.X.28.3

Firewall rules on the X.X.96.2 interface need to pass desired traffic to the X.X.28.3 destination address.

X.X.28.3 needs to know to route traffic for X.X.96.0/24 back to pfSense. (Guessing on the subnet since it was unspecified.)

PCs use X.X.96.20 as the address of the server.

NekoSama · Jan 24, 2018, 7:45 PM

Thx Derelict, it worked like a charm.
I'm currently dealing with some problems with ports and protocols, but I think I can handle those.
Thx again for the help and patience.

coro200 · Aug 25, 2023, 8:19 PM

Hi Derelict!
I am in the exact same situation as NekoSema and tried to solve it the same way, before stumbling upon this thread.
I already did what you said, except for:

"X.X.28.3 needs to know to route traffic for X.X.96.0/24 back to pfSense. (Guessing on the subnet since it was unspecified.)"

I don't know how to accomplish that. I thought it might be a static route, but I don't know how to define it.
I know this thread is old, but it is the exact description of the situation that I am facing.