Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Doing both SNAT and DNAT I think ?

    Scheduled Pinned Locked Moved
    General pfSense Questions
    4
    5
    107
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      Keithj
      last edited by

      I commission machines for a living that have local networks that can have anywhere from 30 - 80 devices on the network. We are often commissioning several of the same machine in the same plant. These machines are identical, and each have a PLC (controller). Because they are identical they all have the same IP addresses. But during commissioning we want to extract data from the controller. I have played around using 1:1 NAT and can access the controller using a unique IP addresses on the WAN side. So I am assuming that if I have enough LAN ports I should be able to access multiple machines at a time.

      But my issue is that I cannot put a gateway in the controller and so I need the packets to appear to the controller to have come from a local IP that I am assuming will be one of the LAN IPs of the router. From watching a bunch of videos of IPTables it looks like it could be possible but I'm not sure where to start.

      I should mention at this point that these machines are totally isolated from the internet and so security is of no concern. Further more this setup is only for the commissioning period and then is completely removed.

      Hopefully this diagram shows what I am trying to achieve. I'm not a network engineer, this is only to make my life easier for a few weeks at a time, and for those worried about security I assure you it has no connection to internet and is not permeant.

      3e27b4b3-1db2-4033-a5a8-d45a8a5ea6ff-image.png

      johnpozJ 1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator @Keithj
        last edited by

        @Keithj you can't put the same network on multiple interfaces of pfsense.

        You can not have 192.168.25.0/24 on multiple interfaces like that.

        You could for sure do what your asking if your devices on the 192.168.25 network had different IPs

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.03 | Lab VMs 2.7.2, 24.03

        1 Reply Last reply Reply Quote 0
        • stephenw10S
          stephenw10 Netgate Administrator
          last edited by

          Yup you can't do that as laid out.

          You could do something with multiple VMs. So one pfSense VM for each LAN port so that they are separated entirely on the LAN side.

          1 Reply Last reply Reply Quote 0
          • K
            Keithj
            last edited by

            Thanks for the fast responses. I had a feeling I was asking a bit much.

            I'll take a look at the VM route.

            Thanks

            P 1 Reply Last reply Reply Quote 0
            • P
              Patch @Keithj
              last edited by Patch

              @Keithj if the PLC have hard coded identical IP addresses you could use pfsense connected to a level 2 switch. Program the switch with all Ethernet ports but one in a different vlan.

              You may then be able to use NAT on each vlan to access each PLC from a different translated address but generally pfsense doesn’t like having the same address range on more than one interface.

              As @stephenw10 suggests a hypervisor running multiple VM each with one virtual WAN NIC connected to a common virtual switch and a second virtual LAN NIC connected to a unique VLAN / physical NIC on your programable switch.

              Running pfsense on each VM with NAT should then allow access from different WAN addresses of each PLC on identical LAN addresses. Your programable switch size limiting how many PLC can be simultaneously accessed.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post