NATing when the destination address is in my subnet/IP space

sparkman123

Hello,

I'm trying to do NAT port forwarding using a destination address in my subnet IP space which will then forward the traffic onto another network entirely but thus far have not been able to get it to work.

To give some background, I have NATing working when the destination address is some random address, i.e.

pfsense nat test ss.jpg

(in this case, the 10.255.255.180 address is the "random" target addr)

The address space for VLAN20 is defined as 172.16.1.0/24, with the dhcp reservations starting at 172.16.1.20. So if I were to make the dest address be something like 172.16.1.10, the NAT rule fails.

I tried all the different NAT reflection settings (System default, NAT + Proxy, Pure NAT) but none of those worked either.

Thanks in advance.

kiokoman

the nat is ok, if , from vlan20, something try to hit 10.255.255.180 port 5555 it will be redirected to 192.168.177.1 port 6666

now you need to check the associated firewall rule
also you need to be sure something is listening at port 6666
maybe this 192.168.177.1 have it's own firewall

sparkman123

Thank you.

@kiokoman said in NATing when the destination address is in my subnet/IP space:

the nat is ok, if , from vlan20, something try to hit 10.255.255.180 port 5555 it will be redirected to 192.168.177.1 port 6666

So that works just fine

now you need to check the associated firewall rule
also you need to be sure something is listening at port 6666
maybe this 192.168.177.1 have it's own firewall

I can confirm that both the firewall rule works and the server 192.168.177.1 are listening.

The NAT rule only fails if i change 10.255.255.180 to 192.168.1.10 which lies in the address space of VLAN20.

Is there some other configuration change I need to make?

viragomann

@sparkman123 said in NATing when the destination address is in my subnet/IP space:

So if I were to make the dest address be something like 172.16.1.10, the NAT rule fails.

You have to add that IP to VLAN20 interface as type "IP alias" if you want to use it in the NAT rule.
If it is not assigned to pfSense nothing will happen.

kiokoman

The NAT rule only fails if i change 10.255.255.180 to 192.168.1.10 which lies in the address space of VLAN20.

this will never work
the traffic does not pass from pfsense if it lies on the same address space
if 192.168.1.2 try to talk with 192.168.1.10 there is no rules or nat that will work they will talk directly to each other. you need to move that 192.168.1.10 to a dedicated vlan interface

sparkman123

@viragomann said in NATing when the destination address is in my subnet/IP space:

@sparkman123 said in NATing when the destination address is in my subnet/IP space:

So if I were to make the dest address be something like 172.16.1.10, the NAT rule fails.

You have to add that IP to VLAN20 interface as type "IP alias" if you want to use it in the NAT rule.
If it is not assigned to pfSense nothing will happen.

Thanks. Using a virtual IP made this work.