Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    how to config NAT/interface for external ips

    General pfSense Questions
    pfsense
    4
    5
    189
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      marksantos last edited by

      0_1551940743352_ss.png

      Here's my network plan.

      INterface.

      WAN 192.168.254.X

      Lan 192.168.20.1

      OPT1 for elastix server dot 11, local ip server 192.168.11.122

      OPT2 for elastix server dot 2, local ip server 192.168.2.122

      what i would like:

      i plan to opt1 is same network address of server elastix, for not reconfig the 3cx or phones

      Opt1 same plan to opt 2

      rules for each interface

      opt1

      no internet access, block connection to option 2

      Option 2

      with internet access, block connection to option 1

      would help me with my plan. or give me a step by step, how to do it.

      1 Reply Last reply Reply Quote 0
      • M
        marksantos last edited by

        pls help me :(

        1 Reply Last reply Reply Quote 0
        • stephenw10
          stephenw10 Netgate Administrator last edited by

          It looks like you have the client machines in subnets routed via LAN but those also look like the subnets the server are in. Unless those subnets are not /24. That would be a conflict if they are /24, you can't have the same subnet locally and routed.

          What exactly are you trying to achieve here? What do you have currently?

          Steve

          1 Reply Last reply Reply Quote 0
          • johnpoz
            johnpoz LAYER 8 Global Moderator last edited by

            yeah if your routing those 192.168.1, .2, .11 etc. to some downstream router via the transit 192.168.20 then those servers should connect into the L2 network off the downstream router.

            Are you trying to use some bigger than /24 masking on all of these networks? like maybe a /20 for example?

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 23.01 | Lab VMs CE 2.6, 2.7

            1 Reply Last reply Reply Quote 0
            • M
              marvosa last edited by marvosa

              The question for me is... is your diagram just a quick mockup to give us an idea of what you want to do or is everything already physically connected that way?

              A high-level, straight forward approach for accomplishing your goals would be:

              1. Create VLANs on the PFsense LAN interface
              2. Consolidate down to 1 managed switch and connect it to PFsense via a trunked interface
              3. Connect everything to the managed switch
              4. Configure firewall rules to control access as necessary

              There's no way to accomplish everything you're looking for as currently shown in your diagram. If you keep the transit network, you can establish connectivity by moving your servers to one of the other switches, but that would mean your VLANs would be terminated on the middle L3 switch and you'd lose inter-vlan firewalling capability. This would be the favorable design from a performance standpoint, but you lose granularity in your access control.

              If you want to keep the 3 switches and require inter-vlan firewalling, you can still accomplish your goals, but it would require a re-design and managed switches. You'd need to:

              1. Create VLANs on the PFsense LAN interface
              2. Re-configure the link between PFsense and the middle switch as a trunk
              3. Trunk the two outside switches to the middle switch
              4. Move your servers to any of the three switches

              If everything is in close proximity, personally I would consolidate down to one managed switch to keep it simple.

              Regardless of your design choice, in order to fulfill all of your requirements, all roads lead to managed switches and a re-design.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post