Routing Virtual IPs to WAN IPs - a noob question

jacc

Hi all,

I'm sorry if this question is too nooby, but I've search exhaustively and couldn't find a direct answer.

I have pfsense installed in a VM with LAN IP 192.168.188.20
My LAN IP is 192.168.188.30
I have a client with a WAN IP 9.9.9.9, which I can ssh through port 10, i.e., from my LAN, 'ssh -p 10 9.9.9.9' works.

Since I'm going to have more clients with multiple IPs, say 8.8.8.8, 7.7.7.7, etc..., I want to set up a set of LAN virtual IPs with pfsense from where I can map this IPs to the clients IPs. For instance say I have the virtual IP 172.16.1.1 for the client with WAN IP 9.9.9.9.
I want to be able to, from my LAN, 'ssh 172.16.1.1' and I should be able to access 9.9.9.9.

I've tried port forwarding from 192.168.188.30 with destination 172.16.1.1, and NAT it to 9.9.9.9. However, this last address is not a valid private LAN address (not in the ranges 172, 10 or 192), so pfsense cannot establish this.

If anybody has an idea of how to do this I'd really appreciate it!
Thank you.

johnpoz

huh?

You have a 192.168.188/24 network on pfsense lan.. And you want to run a vip on this interface that is a different L3 network ie 172.16.x.x

Huh??

So you can port port forward it to something on pfsense wan side? Which is public this 9.9.9.9 address??

I am at a loss to what your trying to accomplish here - why would you not just ssh to 9.9.9.9 from your client?

jacc

@johnpoz I warned this was a very nooby question :D.

To be clearer, I want to be able to pass all my ssh traffic through pfsense.
Yes, I could simply ssh 9.9.9.9, but I would like to have a pool of virtual IPs so that I can organize my clients IPs in a consistent manner. If 9.9.9.9 is the 'client1' I'd associated with 172.16.1.1, and set a entry in the DNS Resolver for 'client1 - 172.16.1.1'. Then I can simply do 'ssh client1'.

Is this a stupid thing to do?!

johnpoz

well for starters client1 is not fqdn, you could call it client1.something and just create a host override on pfsense that points client.something to 9.9.9.9

then sure if you box uses .something as search suffix you could just ssh client1

This can also just be setup in you ssh conf to have all the info you need to ssh to whatever, call it what you like its IP, what ssh key to use to public auth to it, etc. etc.. Username you have to use to get to that client.

Same goes if your using say a gui client like securecrt..

There a lot of ways to skin this specific cat.. vip and nat/portforwards would not be one of them ;)

jacc

@johnpoz Thanks for the clarification.

I guess I'm trying to complicate things... Host override may be the best option here as you pointed out.

The only thing I'd like to solve is the ssh access via a port different than 22. I know I can set that in my ssh config file, but I'd like to set somewhere else than in my machine.

johnpoz

dns has nothing to do with ports..

If the server your trying to connect to is using a different port then the correct way would be in your ssh conf for this host..

Even if you were going to do some odd ball vip thing with nat your vip would be on the same network as the interface ie your 192.168.188 or your client would send that to its gateway IP since it would be off network.

The correct solution to your problem is to just use your ssh conf for easy access to servers.. You can put all the info you need right in this file.. Nothing would have to be done on pfsense, and you can take that file with you no matter where you go, etc.

example here is config I put in for a box uc.local.lan

host client
hostname uc.local.lan
IdentitiesOnly yes
user user
IdentityFile /home/username/.ssh/id_ed25519

that is exactly what you are trying to do - and takes all of 30 seconds to setup and cvan put in all the info you would need to make connection simple and easy.

Here this will help
https://nerderati.com/2011/03/17/simplify-your-life-with-an-ssh-config-file/