Outbound nat/port forwarding between two routers
-
I need to create something unusual to deal with some existing networks. I have two class B networks, 1.1.0.0 and 2.2.0.0. Each network is connected to the WAN side of a pfsense router. The pfsense routers have an internal network separate from their class B network on the WAN and a third opt link between the two routers.
I have some existing port forwarding where 1.1.0.0 –> router 1 WAN IP --> router 2 opt1 IP --> router 2 internal IP --> internal 2 server which works fine.
I need to set up something similar but forwarded to the WAN on router 2.
1.1.0.0 --> router 1 WAN IP --> router 2 opt1 IP --> router 2 WAN --> 2.2.2.2The last bit is where I am stuck. On router 2 how do I port forward from the opt1 IP out to an IP on its WAN side?
-
Please draw your network.
That you state you have to /16 networks tells me your doing it wrong for starters ;) Do you mean you have summary routes to how to get to these networks via 2 different transit networks.
And since your obfuscating them clearly they are public space?
-
I have a really crude drawing for you. You will have to imagine a lot more Cisco chassis and another 10k plus nodes. I am obfuscating because this is at a branch of an extremely large corporation and I have signed way too many NDA's. There are actually more than two /16 networks but I only care about two of them for this. I know the setup is horrible but opening up the firewall to simply pass traffic for this one service isn't going to happen, network policies are set by a department in another state and they answer to a department in another country.
So using the diagram, a user on the A network 1.1.0.0 is routed to a IP that is not a end gateway but appears as a normal user IP. That IP is to a pfsense router WAN port which has a internal network of servers and second link to another pfsense router. I can pass traffic from the A network to the pfsense router A through the opt1 link to the internal servers on the pfsense B router. I just need to tweak it to go out the WAN port on the B pfsense router for one service.
I am not entirely sure this can be done. The B 2.2.0.0 network only sees the pfsense router as a regular IP. I suppose I am trying to somewhat emulate a proxy through NAT.
-
Please look at my sig for a drawing containing the kind of information that makes it possible - if not easy - to help you.
-
"another 10k plus nodes."
So they have 10k some nodes all on the same layer 2 /16?? Wow just Wow!!!
From what I can make out.. Your not doing any real routing here your just port forwarding.. And all the networks on the right side are just downstream from pfsense on the left.
It should work even if a bit odd ball - but to me you are bypassing all kinds of "security" that I would assume could cause a huge stink!!!
