Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    1:1 NAT to VLANs

    Scheduled Pinned Locked Moved NAT
    3 Posts 3 Posters 1.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dnsman
      last edited by

      Hi,

      I have a pfsense 2.0.1 install for a business center which I am having some trouble configuring NAT for.  The setup is for around 30 different tenant suites which each has its own VLAN/subnet.

      Management LAN - 192.168.1.1/24
      WiFi - 192.168.25.1/24
      Suite 1 - 192.168.101.1/24
      Suite 2 - 192.168.102.1/24
      Suite 3 - 192.168.103.1/24
      …..

      Have setup the VLANS and the WAN connection to our ISP provided router and all is working through VLAN trunking to the switches.

      One thing I would like to do if have each suite go out to the internet on a different public IP.  The WAN connection has a /28 block assigned to it but an struggling to get my head round how this should be configured.  Currently I am using the first usable IP xxx.xxx.xxx.226 in the block for the WAN connection.  I have the second usable IP setup as a Virtual IP of type IP Alias xxx.xxx.xxx.227/32 then a 1:1 NAT rule as follows:

      External Subnet IP: xxx.xxx.xxx.227
      Internal IP: 192.168.25.1/24 (WiFi Subnet)
      Destination: ANY
      NAT Reflection: Use System Default

      When the rule above is enabled it stops access to the internet for the WiFi subnet.

      What am I missing?  If I change the internal IP in the above rule to a specific IP in the subnet such as 192.168.25.33 the machine goes out using the virtual IP.

      Any pointers would be appreciated.

      Thanks.

      1 Reply Last reply Reply Quote 0
      • R
        Reiner030
        last edited by

        @dnsman:

        One thing I would like to do if have each suite go out to the internet on a different public IP.  The WAN connection has a /28 block assigned to it but an struggling to get my head round how this should be configured.  Currently I am using the first usable IP xxx.xxx.xxx.226 in the block for the WAN connection.  I have the second usable IP setup as a Virtual IP of type IP Alias xxx.xxx.xxx.227/32 then a 1:1 NAT rule as follows:

        We setup this way:

        For each public IP we defined a CARP IP additonal to the 1:1 NAT  (the firewall must know that she should NATting it )
        I found out with my DMZ testing that only CARP IP and Proxy ARP aliases where accepted for incoming connections.

        (In my testing environment it works then like a charm…
        Now transferring it to live system one side is working.
        The other side the NATting firewall received the incoming connection but didn't know howto route it internally :(
        But this can be a BETA configuration problem.
        )

        Bests

        Reiner

        1 Reply Last reply Reply Quote 0
        • P
          podilarius
          last edited by

          What you are looking is not 1:1 NAT imo. What you want to do would be better suited to Advanced outbound NAT. What you would do is go to AON and enable manual.
          It should create a rule for each of your VLAN networks. Just adjust each one according to the IP you want it to use.
          One other problem I see is that IP Alias and CARP must carry the same CIDR as the WAN interface. So instead of 227/32 it should be 227/28.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.