Virtual IP NAT to OPT?
-
First post, been using pfsense for a few years and love it, recently my home operation expanded and I am not sure the best way to accomplish what I want to do.
Background -
I have a pfsense 2.0.2 installation
I have 13 IP's assigned to WAN - 1 is native to wan - let's call it .130, then I have 12 virtual IP's setup .131 to .143.
My main network is attached to the LAN interface, I am using NAT to assign a few of the virtual IP's onto specific LAN IP's on the LAN interface.
What I now want to do is setup some OPT interfaces (I have 6 ETH ports on the server). On the OPT's I want to assign directly or NAT to a WAN interface virtual IP.
For example - I have OPT1 setup and want it to tie directly to my external address of .131 - for the purpose of my business, I do not wish to have it on my LAN subnet, VLAN on my LAN, or even physically connected to the LAN interface.
So my question is this - what is the best way to get a device on OPT1 to access the internet on WAN while using a virtual IP of .131?
Currently what I did is assign OPT1 to 192.168.5.1 with no gateway - I then setup a 1:1 NAT between OPT1 address and WAN virtual IP .131…. the OPT1 device access the internet, but on the WAN IP address of .130 - not the virtual IP.
Any insight appreciated!
Thank you,
Greg
-
I think the first question I need to ask is why do you want to assign a device on OPT1 to a virtual IP? Are you trying to host a server on that virtual IP that you want to access from the internet? (i.e. web, mail, etc.)
Maybe I'm misunderstanding (it's entirely likely) but I don't think you're going to be able to do what you want, in the way you're going about it.
First, you are creating these virtual IPs on your WAN interface (.131-.143). Unless your ISP has allocated those to you, you can assume they are allocated to a different customer. You're never going to receive external traffic on those just by setting up a virtual IP. Thus, everything will be sent and received on .130. It almost sounds like you are trying to spoof an external address.
If you want to segment your networks into business and home (or business and DMZ, or trusted and untrusted), that's not hard to do. I had my wifi segmented like that, at one time. I'm going to assume you use 192.168.1.x for home (LAN) and 192.168.5.x for business (OPT1). If you have the OPT1 address set to 192.168.5.1 and all the devices in the 192.168.5.x subnet list 192.168.5.1 as their gateway, they will be able to access the internet. Using rules for the OPT1 interface is where you'll setup their access. If you don't want access from work to home, then deny OPT1->LAN. You'll probably realize that a blanket rule is not what you want, at least not in both directions. (i.e. you may want to allow LAN->OPT1 on ssh, for example). For inbound, you'll likely want to forward specific ports (e.g. port 80 is NATed to 192.168.5.10) rather than do a 1:1. You'll also need to allow that inbound traffic with a firewall rule on WAN. They will all be tied to the LAN address of .130, though.
Ultimately, if you want an different external address for that 192.168.5.x traffic, you'll need another IP from your ISP. THEN you could NAT the new address to a device in the 192.168.5.x subnet and have it appear as though it is coming from that address.
-
I am allocated 13 static IP's from my ISP - .130 to .143 (sorry didn't want to give the full IP's).
My belief was that in order to use them externally I need to assign them as virtual IP's to the WAN.
I was thinking about this and was going to move from a 1:1 to setting a blanket outbound and restricting inbound through port forwarding.
-
After playing around with it - I discovered that I needed to move to Manual outbound NAT - I didn't realize that when Automatic NAT is turned on that it ignores all the rules that are set.
By adding some rules to allow outbound traffic on the main LAN and the OPT lan - that I can have my main LAN NAT to the interface address and then allow OPT's lan to NAT to the static IP of .131.
Now I can do this with the few others that need to have it done.
Thanks!