NAT 1:1 with different subnet size and NAT-pool



  • Hi all,

    maybe, this topic has been covered somewhere, but didn't find anything when searching - probably used the wrong search terms.

    I run with pFsense 2.0.2 and also with 2.0.3 some preliminary 1:1NAT scenarios in the lab to check NAT between LAN (10.10.0.0/24) and DMZ (OPT1, 10.10.10.0/24) and everything looked great (eg.: 10.10.0.5 <->10.10.10.5, etc.).
    All worked fine in a bi-directional way, which implies the hidden, automatically treated "Port-forwarding" in at least one direction. (All further security aspects are treated on level firewall rules).

    My problem:
    Unfortunately, in the operational environment, the LAN IP range is much larger then the /24 address range, even though the amount of participants do net exceed 254 hosts. With other words, around 200 host are spread over 10.10.0.0/22 (255.255.252.0).

    My question:
    How can a 1:1NAT (static ports, bi-directional) be configured to nat a large site into a smaller site to assure static "Port-forwarding" in both of the directions?

    I tried using AON with a NAT-pool (Proxy-ARP Virtual-IP-range on DMZ)  which worked fine from LAN -> DMZ, but failed to setup the opposite direction DMZ -> LAN (Port-forwarding method did not work, since it is not possible this to be configured for IP/DMZ to IP/LAN and for "any" ports to "any" ports.

    Is there no NAT-reflection for AON rules availabe?. I believe, this would do it!

    thanks
    Arn


Log in to reply