NAT 1:1 with different subnet size and NAT-pool
-
Hi all,
maybe, this topic has been covered somewhere, but didn't find anything when searching - probably used the wrong search terms.
I run with pFsense 2.0.2 and also with 2.0.3 some preliminary 1:1NAT scenarios in the lab to check NAT between LAN (10.10.0.0/24) and DMZ (OPT1, 10.10.10.0/24) and everything looked great (eg.: 10.10.0.5 <->10.10.10.5, etc.).
All worked fine in a bi-directional way, which implies the hidden, automatically treated "Port-forwarding" in at least one direction. (All further security aspects are treated on level firewall rules).My problem:
Unfortunately, in the operational environment, the LAN IP range is much larger then the /24 address range, even though the amount of participants do net exceed 254 hosts. With other words, around 200 host are spread over 10.10.0.0/22 (255.255.252.0).My question:
How can a 1:1NAT (static ports, bi-directional) be configured to nat a large site into a smaller site to assure static "Port-forwarding" in both of the directions?I tried using AON with a NAT-pool (Proxy-ARP Virtual-IP-range on DMZ) which worked fine from LAN -> DMZ, but failed to setup the opposite direction DMZ -> LAN (Port-forwarding method did not work, since it is not possible this to be configured for IP/DMZ to IP/LAN and for "any" ports to "any" ports.
Is there no NAT-reflection for AON rules availabe?. I believe, this would do it!
thanks
Arn