1:1 NAT for dummies

torino

Hi !

i am trying to understand the 1:1 NAT feature in pfsense. here is my basic configuration:

–--------
             red-PC---------------------192.168.10.254| pfSense |192.168.2.254------------------------green-PC
      192.168.10.250                                              ----------                                                      192.168.2.100
GW:192.168.10.254                                                                                                           GW:192.168.2.254

firewall: pass all red<>green
ping between red-PC und green-PC is working.
2.0-RELEASE (i386)

what i understand : with 1:1 nat i can reach the green-PC by using an IP adress which is not in 192.168.10.0/24.
on red-PC:    >ping 192.168.12.100

ping should be replied by 192.168.2.100 - is that correct ?
destination IP 192.168.12.100 will be mapped to destination IP 192.168.2.100

but the ping fails ! any ideas ?

next question:
in the green subnet, is a PC with IP = 10.1.0.100/24
is it possible to reach this PC from red-PC by using 1:1 NAT ?

thanks for your support !

podilarius

according to your network design the 192.168.12 is not a valid subnet on your LAN. Unless you setup a VIP to proxy for it, the firewall will do nothing with it but block or forward nowhere.

torino

Yes !

i added a virtual ip address-range on the red port.
but this will not help. which type should i use ?

It Works !
                                                                            –--------
              red-PC---------------------192.168.10.254| pfSense |192.168.2.254------------------------green-PC

S: 192.168.10.250  >>>>>>>>>>>>>>request >>>>>>>>>>>>>>>>>>>>>>  S: 192.168.10.250
      D: 192.168.12.100 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>    D: 192.168.2.100

S: 192.168.12.100  <<<<<<<<<<<<<reply<<<<<<<<<<<<<<<<<<<<<<<<<  s:="" 192.168.2.100<br="">      D: 192.168.10.250  <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<  D: 192.168.10.250

</reply<<<<<<<<<<<<<<<<<<<<<<<<< >

torino

to complete this threat:
by adding a virtual ip range (10.1.0.0/24) also on green port, and changing the 1:1 nat rule (Internal IP = 10.1.0.0/24)  the following is possible:

red-PC–-------------------192.168.10.254| pfSense |192.168.2.254------------------------green-PC2---------green-PC
      192.168.10.250                                              ----------                                                      10.1.0.111        192.168.2.100

ping 192.168.12.111

S: 192.168.10.250          >>>>>>>>>>>>>>request >>>>>>>>>>>>>>>>> >>>>>  S: 192.168.10.250
      D: 192.168.12.111    >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>    D: 10.1.0.111

S: 192.168.12.111        <<<<<<<<<<<<<<<<<reply<<<<<<<<<<<<<<<<<<<<  s:="" 10.1.0.111<br="">      D: 192.168.10.250            <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<  D: 192.168.10.250

ping 192.168.2.100

S: 192.168.10.250  >>>>>>>>>>>>>>request >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>  S: 192.168.10.250
      D: 192.168.2.100 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>    D: 192.168.2.100

S: 192.168.2.100  <<<<<<<<<<<<<<<<<<<<<<<<<<<<reply<<<<<<<<<<<<<<<<<<<<<<<<<<<   ="" s:="" 192.168.2.100<br="">      D: 192.168.10.250  <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<  D: 192.168.10.250

ping 192.168.12.100 will not work</reply<<<<<<<<<<<<<<<<<<<<<<<<<<< ></reply<<<<<<<<<<<<<<<<<<<< >