NAT and routing



  • Hi,

    i have one WAN Interface with pppoe und one WAN with a static Adress. I also have some internal interfaces for DMZ, LAN, etc. For some server in the DMZ I added a virtual IP and a 1:1 NAT. Everything works great. But I want to setup a new internal Interface which should be routed (with Firewall rules). At the static interface this is no problem, i could use a bridge. But what about my pppoe connection? The connection get a static ip from the provider and the provider routes some ips trough this connection (2x /27 subnet). Is it possible to build a bridge or route some ips to another internal interface? The firewall has enough free ports.

    Thanks.

    Greeting

    BJ



  • well you would not use a internet routable unless it is routed by your ISPs to one of the WAN addresses. Since you are already using NAT, I would setup 1:1 NAT with the new IP in a different subnet on a new interface.



  • I logged on today to ask the same basic question as BJXYZ. If BJXYZ's issue is anything like mine, 1:1 NAT won't work for everything.

    I'm replacing a ZyWall configured to use 3 subnets. One address from subnet A is configured on my WAN. I use this address for 1:n NAT. Subnets B and C are routed through the WAN address (the one from subnet A). I use subnet B for various 1:1 NAT mappings. Subnet C is routed to my DMZ where I host services that don't play well with NAT. Now I'm looking at replacing the ZyWall with pfSense.

    Is this configuration possible with pfSense?

    BJXYZ,

    You indicate you've used a bridge on one of your WANs. Following the trail of documentation about bridges (starting here: http://doc.pfsense.org/index.php/What_is_a_bridged_interface_and_how_would_one_be_used%3F) seems to indicate you'll run into a problem when your LAN clients try to access devices on the bridged interface (assuming your LAN clients use NAT). Have you noticed any such problems?

    Regards everyone!



  • You could enable Manual Outbound NAT, delete any auto-generated rules for the DMZ interface and just route subnet C.



  • Thanks Dhatz,

    That's what I was thinking too. I guess it's off to the test lab!


Locked