Multiple LAN IP's out one Public IP



  • I've seen a lot of posts about 1:1 NAT for inbound connections, but nothing seems to address what I'm trying to do.

    I have a number of public static IP addresses available in my pool from a number of different subnets.

    I have several clusters of 4 machines each.  Each machine can be allocated a private non-routable IP.  I want each cluster of 4 to route/NAT all of it's traffic out of a specific IP.

    I can't figure out exactly how to do this on pfSense.  So in essense, here's what I want:

    192.168.100.1 –|
    192.168.100.2 --|
    192.168.100.3 --|---------> Public IP #1
    192.168.100.4 -

    192.168.200.1 --|
    192.168.200.2 --|
    192.168.200.3 --|---------> Public IP #2
    192.168.200.4 -

    And so on.

    Basically, I want each cluster of 4 machines to route in and out like a normal NAT, but each be isolated to their own public IP address.

    Is this possible in pfSense and if so, how would I go about it?  I don't need any special port forwarding, etc... these are all workstations and not servers, so most of the traffic is internally initiated and outbound.



  • As far as I know, this should be possible by adding virtual IP addresses on WAN and manually configuring outbound NAT rules to specify which public IP address to use in the translation.


  • Rebel Alliance Developer Netgate

    Efonne is correct, you would need to setup Virtual IPs for the public IPs, and then just add outbound NAT rules to make those sets of machines use a particular VIP for NAT.

    This would probably be easiest if you made an alias for each group, and then used the alias in these rules. Failing that, you may be able to align them so they are grouped into what would be /30 subnets.



  • Thanks for the info, it's much appreciated!

    I will give this a go later this afternoon and see if I can get it working.  Is there anything special I need to do as far as setting up the LAN network?  Currently it is setup as a /24 network.  Do I need to change it to a /16 or can I just indiscriminately add networks pointing to the VIPs on the pfSense box.  In other words, is there any special configuration changes that need to be made if I want to route different class B networks out a VIP?

    192.168.23.0/24 is the LAN network, with a primary WAN as say 24.12.18.10.

    If I want to route say 192.168.100.0/24 out a routable VIP of 24.12.18.11, do I need to make any special configuration changes to the LAN side on the pfSense box?


  • Rebel Alliance Developer Netgate

    If you wanted to do that, you would need to have your LAN and all PCs on your LAN use /16 for a subnet mask.

    If you want to separate out PCs into subnets properly, you need separate broadcast domains. That means separate physical interfaces and switches, or separate VLANs.



  • Ok, so I just tried to do a test setup of this.

    I created a routable VIP, as an example: 208.20.12.10/32

    I have a NAT outbound rule:

    My LAN side is now set to a 192.168.100.1/16 address.

    However, when I configure a box with a 192.168.50.1 address and check it's external IP, it comes back with the primary WAN IP address.  Why is it not using the NAT VIP Address?

    | Interface | Source | Source Port | Destination | Destination Port | NAT Address | NAT Port | Static Port | Description
    |
    | LAN | 192.168.50.0/24 | * | * | * | 208.20.12.10 | * | NO | Test VIP |


  • Rebel Alliance Developer Netgate

    Is that rule first on the list? The list is processed top-down.



  • Yes, it's the only rule on the list.

    Do I need to setup a LAN VIP as well for the gateway?  I tried this but can't even ping the LAN VIP from the 192.168.50.1 box (LAN VIP is setup as 192.168.50.10)

    EDIT

    I just tried changing it from Automatic Outbound NAT to Manual Outbound NAT.

    Now there's two rules on the list and the 192.168.50.0/24 rule is first and the 192.168.0.0/16 rule is second.   I switched Interface from LAN to WAN, since the Auto Created rule for LAN is set to WAN (Somewhat confusing) - this seems to have solved the problem.

    So, in summary… it needs to apparently be set to Manual Outbound NAT, and the interface needs to be set to WAN, not LAN.



  • Yeah, it is outbound NAT, so you configure it on the interface it is going out of.  In this case, it is WAN.



  • I've been playing with it for the past couple hours and I seem to have it working the way I want.

    However, now my question is do I have to go the VLAN route if i want to partition off each cluster of machines from the others?  Is it as simple as assigning a VLAN number to the given machines or is it more complicated than that?

    I know VLAN is somewhat intricate and I should really have more knowledge about routing prior to embarking upon the VLAN configuration, but for my simple needs, perhaps there's a simple solution.

    I just want to have each cluster of machines basically on it's own little network, routed through VIPs on the pfSense box.  As an added bonus, all clusters should have access to one of my Samba file servers.  Is this something fairly simple to configure or does it get exceptionally complex?


  • Rebel Alliance Developer Netgate

    You would need to either separate them physically or with VLANs to use separate subnets that would be "partitioned off" so to speak.

    To do VLANs, you would need a managed switch that is capable of handling VLANs and 802.1q trunking (most smart/managed switches do). pfSense would get put on a trunk port, and you'd make a VLAN interface in pfSense for each internal network you want. You'd then go in the switch and set which ports belong on which VLAN.

    VLANs can be intricate but for basic usage they're really not that difficult, they may seem intimidating but they're very handy if you spend a little time familiarizing yourself with the concepts.

    Doing what you want shouldn't be too difficult, especially if you have your Samba server act as a WINS server and set that in the DHCP settings. People could still see each other's machine names when browsing, but if you have firewall rules in place to keep SMB traffic limited to only the Samba server, they wouldn't be able to actually contact any other machine's shares.


Log in to reply