2 public subnets / reach services behind

kreiSSage

Hello guys.
I am planning to get rid of an old linux based firewall (iptables)
WAN part is a public /29 and LAN is also a public /24 with services like webservers / mail servers...
Basically the firewall allows for each internal IP specific ports to be reachable from outside.
I know the classic forwarding NAT WAN IP -> LAN IP but in this case it's something different since I have to be able to reach LAN part with the LAN IP insead of the relative WAN IP.
For example pfsense interfaces:
WAN: 100.100.100.1/29 GW 100.100.100.6/29
LAN: 200.200.200.1/24
I should be able to reach from outside 200.200.200.7:22(ssh) / :80(website)...
Is it possible?

Derelict

Yes. Assuming 200.200.200.0/24 is actually routed to 100.100.100.1 by the ISP.

Just number the LAN with 200.200.200.1/24.

Go to Firewall > NAT, Outbound, switch to Hybrid mode, and make a NO NAT rule on WAN for traffic sourced from 200.200.200.0/24

Make a firewall rule on WAN passing traffic from any to 200.200.200.X TCP port 22/80.

kreiSSage

Thank you Derelict for your answer.
I confirm your suggestion worked like a charm!