Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    NAT, routing and nating HELP!

    Scheduled Pinned Locked Moved NAT
    4 Posts 2 Posters 1.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      pmcastilla
      last edited by

      Hello guys,
                    I'm really new on this and I need you help. What I need to do is this

      Pfsense 1.2.3
      Subnet                                                             WAN               LAN
      171.11.10.0/25 –------ Firewall 1.1.1.1/28----- 1.1.1.2/28 firewall ---------192.168.1.0/24
                                                                                                |  OPT1
                                                                                                 ---------192.168.2.0/24        
                                                                                                |  OPT2
                                                                                                 ---------192.168.3.0/24
      I need to be accessible from subnet 171.11.10.0/25 all the 192.168.xxx.xxx  subnets without loose Firewalling.
      For testing I disable from pfsense Firewall and I can routefrom any network to the other, but I need to activate pfsense firewall again and restrict the access and only leave pass just a few hosts and protocols like for example:
      Allow MSRDP access from 171.11.10.10 to 192.168.1.101
      Block Any from 192.168.2.0/24 to 192.168.3.0/24

      Can you guide me or help me!!!
      I really appreciate yor time!
      Thanks!
                Pablo

      1 Reply Last reply Reply Quote 0
      • Cry HavokC
        Cry Havok
        last edited by

        You can't get 1:1 access from a /25 to a /23, by way of a /28 - that's like trying to fit a pint into a shot glass by way of a thimble.

        If you were to increase the /28 to a /25 and then reduce each /24 to a /27 you'd have enough IP addresses for a 1:1 mapping.  At that point I'd suggest you ask yourself why you're doing a 1:1 for each RFC-1918 address when it might be smarter to give each device a real IP.

        Also, I hope the 1.1.1.1/28 address is made up.

        1 Reply Last reply Reply Quote 0
        • P
          pmcastilla
          last edited by

          Hi Cry, thanks for the answer, may be I'm not explaining very well what I need to do, I modify the principal post.

          1 Reply Last reply Reply Quote 0
          • Cry HavokC
            Cry Havok
            last edited by

            So, you need:

            • Default block/deny rules on all interfaces

            • Forward 3389/TCP from the WAN interface of the external firewall to the WAN interface of the internal firewall (if it's doing NAT) and then from the WAN interface of the internal firewall to 192.168.1.101

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.