/29 and /30 NAT Disable
-
Hi All.
A bit stuck with the possibilities within netgate and need to give my customer an idea if this is possible.
The current configuration requirement is to provide our client with a /29 routed through a /30 without any 1:1 NAT. They have servers that need the public IP to not be going through a 1:1 NAT to a local IP, but rather than have them connect to the ISP NTU before the Netgate, they want to go through the Netgate as they want us to apply limiters to each connection.
for example;
WAN connection comes in on a /30 which would be for the Netgate WAN
ISP gives us a /29 that is routed through the /30.1/29 would be the gateway
.2/29 would be the netgate - guest network, with a 800mbps limiter. Routing and firewall within netgate for the guest network.
.3/29 would be admin network with a 100mbps limiter. External router & firewall after netgate.
.4/29 would be SIP phone with a 100mbps limiter. External router & firewall after netgate.Is this something that is conceptually possible on the Netgate using Alias IPs and limiters? Or is this not something the device is capable of?
Hopefully that is clear enough. Thanks in advance
-
You can do that sure.. Once you put /29 behind pfsense you can set any limiters you want for any specific IP. No natting being done by pfsense
-
@johnpoz thanks for the prompt reply. When you say behind PFsense, where could I find some information on this? Would they be as alias IP's or virtual IP's or something? Really needing a step by step or something like Lawrence Systems videos as I cannot work it out. Appreciate any tips you can offer.
-
Instead of making the network on the lan side of pfsense 192.168.x or whatever, just make it your routed /29 where pfsense .1/29 would be pfsense IP.
Make you are not natting this network. I believe pfsense auto nat is smart enough to not do that.. I would have to verify that.. But yeah that is all that is needed.
edit: Ok from quick test putting 1.2.3.1/29 on my test interface, the auto nat still shows natting it to the wan. So you would have to turn off auto nat and nat only other rfc1918 networks you might have behind pfsense.
or just do hybrid nat and disable outbound nat here
https://docs.netgate.com/pfsense/en/latest/recipes/route-public-ip-addresses.html -
@johnpoz thats great. That kind of article is what I needed! I will try those based on those steps. Thanks so much for your help!
-
@johnpoz actually one more thing, applying this to OPT1, does this apply to ever port on the netgate switch or do I have to allow some sort of vlans ?
-
What you apply it to depends on your setup, it could be the normal lan interface, it could be a opt interface or sure it could just be a vlan that sits on one of the physical interfaces, etc.
You have a netgate appliance with a switch. Then sure it could be all ports in that switch, or just one of them, etc.
The switch in the appliances or just really like any other switch vs being external with a physical uplink to a port on the router, it just internal with a internal uplink..
-
@johnpoz ok great. So I could easily, for example, use LAN1 for my guest VLAN, LAN2 for public IP1, LAN3 for public IP2 etc...
-
@wifi-will said in /29 and /30 NAT Disable:
LAN2 for public IP1, LAN3 for public IP2 etc...
Sure you can put all your switch ports in your /29 network and then connect devices directly to the switch to be in the /29 network.
Or you could use port 1 of the switch for some other network, and the other ports in the switch for your /29, etc.
I personally like my interfaces discrete on my router, why I have a 4860 vs a model with a switch built in.. But some people like the switch in the router. But what you do with that switch is really no different than an external vlan capable switch. Be all the ports are in 1 vlan, or you break up the ports to be in other vlans.
