Static /29 subnet WAN –> Multi-LAN NAT Config howto?



  • I'm seeing lots of examples on the forums of how to do 1:1 NAT relationships between multiple WAN IP's to specific LAN side hosts, but I'm having a bit of trouble finding configuration guidance / examples of how to NAT entire LAN subnets to multiple individual static WAN IP's though a PFsense or M0n0 system.. I can do this through a Cisco 2611, or just as easily (and more simply) hang individual routers off each public IP, but I'd like the added functionality of implementing a captive portal on one of the networks, VPN on another, traffic shaping on the whole lot, and some inter-network routing.

    I would like to setup the following:

    WAN                                LAN
    –---------------------------------------
    a.b.c.21/29 --> NAT <-- 192.168.21.0/24 (VLAN 21)
    a.b.c.22/29 --> NAT <-- 192.168.22.0/24 (VLAN 22)
    a.b.c.23/29 --> NAT <-- 192.168.23.0/24 (VLAN 23)
    a.b.c.24/29 --> NAT <-- 192.168.24.0/24 (VLAN 24)
    a.b.c.25/29 --> NAT <-- 192.168.25.0/24 (VLAN 25)
    (and so on..)

    I'd be doing this on a Soekris box, ideally using a single WAN interface (since all the WAN-side IP's are on the same GW), and a single LAN-side interface to a L2 switch using VLAN's to separate out the separate networks. Maybe perhaps using an OPT1 interface to a DMZ'ed network.  I'm guessing theres the need to setup VIP's on the WAN side to account for all of the public IP's, but I cant seem to figure out the NAT translations to the internal networks. I looked at the Multi-WAN howto doc as well, and it didnt seem clear enough for the purpose I'm trying to implement.

    Anyhow, Not sure if this request should have been posted in the Multi-WAN/Routing or in the NAT forum, but if anyone's interested in helping me out with a somewhat guided tour of how to set this up, I'd be happy to write up a final howto doc to post on the wiki...



  • First create Virtual IP's for all the additional IP's you have on the WAN.
    You should probably use CARP VIP's here.

    Enable advanced outbound NAT
    firewall –> NAT --> outbound

    Now you can create a rule for each subnet and select as NAT-address the VIP.


Locked