[SOLVED] Outbound NAT with Virtual IP using LAN IP as outbound IP



  • Hi all,

    I have a question about setting up outbound NAT when also using public IPs. I cannot separate my networks physically, so I plan to have a virtual IP on my LAN interface.

    My current setup is roughly as follows:

    My router has 1 of my public IP addresses assigned on the LAN side. That connects to a host with a different public address and also a LAN interface. I use IPTables on that host to NAT all traffic from my private network (192.168.11.0/24) to the public IP address of that host. So all internal traffic appears to come from x.x.x.169.

    With my PFSense setup, I want to replace both that machine and the current router. So the new network setup would look like

    I have a virtual IP address setup on the LAN side (192.168.11.1) and I've added a firewall rule and a NAT entry for this. I also tried removing the firewall entry and just having the NAT entry. I restarted after each of these changes. However, none of the machines on the 192.168.11.0 network are able to make connections to the world.

    My main desire is that the machines on the network are natt'd to one of my public IP addresses. I do not want to use the WAN IP as this is dynamic and changes at times.

    Other machines with public IP addresses using the LAN IP (so no NAT) as their gateway work fine though.

    Is what I'm trying to do here possible, and if so, could someone please advise how I achieve this - thanks! :)

    NAT Entry
    Manual outbound NAT rule generation enabled
    Mapping:
    Interface -> Lan
    Source -> 192.168.11.0/24
    Source Port -> *
    Destination -> *
    Destination Port -> *
    NAT Address -> LAN address
    NAT Port -> *
    Static -> No

    Firewall rule
    Section -> LAN
    Type -> Pass
    Proto -> IPv4 *
    Source -> 192.168.11.0/24
    Port -> *
    Destination -> *
    Port -> *
    Gateway -> *
    Queue -> none



  • I am going to take stab at it. First, is the 169, 174 wan address you have assigned to you? Those parts where you have dynamic are usually internet routable addresses and if they are like mine, they are an address in your range. Is this the case and is your ISP routing your public IPs to the dynamic ip address? This looks more like a routing problem mixed with a little ISP trickery from the old setup trying to bleed into the new setup.



  • @podilarius:

    I am going to take stab at it. First, is the 169, 174 wan address you have assigned to you?

    yes - I have a block of IPs (/29) assigned to me. the ISP route them via the dynamic IP which changes from time to time.

    These addresses are internet routable.

    Those parts where you have dynamic are usually internet routable addresses and if they are like mine, they are an address in your range. Is this the case and is your ISP routing your public IPs to the dynamic ip address? This looks more like a routing problem mixed with a little ISP trickery from the old setup trying to bleed into the new setup.

    The dynamic part is not in my range - only addresses that I've represented as x.x.x.NNN are part of my range. In my existing config, the last IP in my range is used on the LAN side of the router that the ISP supply. The WAN side is a dynamic address allocated after PPPoE authentication.

    For the public IPs, my setup works. I have 1 public IP on the LAN side of pfSense (the same as what I had with the previous router) and all machines on the LAN that use public IPs use that as their gateway. They can access the world, and the world can access the parts of those machines that I allow (they currently all have their own IPTables firewalls with no firewalling from pfSense yet).



  • Just to clarify some of this - the routing aspects of this new pfSense setup work fine for public IP addresses. And for non-public machines on my network (192 ip range), if I setup a NAT rule that uses the WAN as the IP address for rewrites, then this works too.

    But that means that all of my workstations and devices that do not have public IP addresses appear as a random address that changes whenever the ISP changes it.

    What I'm trying to do is use the LAN side IP address as the address that all private IPs are rewritten to.



  • It turns out that this is quite easy, but even after figuring it out, I'm still not sure it was clear from the documentation.

    The solution is as follows:

    1. Make your LAN IP address an address on your private network
    2. Add an IP alias of the public IP address under Firewall -> Virtual IPs that you wish to NAT as
    3. Add an outbound NAT rule and pick the IP alias that you created in step 2

    That IP alias can also be the gateway address for hosts on your DMZ that will be using public IPs.

    If you assign the IP address directly to the LAN interface, it does not show up as an option for NAT. It only appears if you add it as an alias.



  • Yup, some have even used the lo0 interface to add aliases to in this king of situation. This way you don't have live IPs as aliases on you LAN. How ever, everything on the LAN would use private IPs with LAN as the gateway. You could then use 1:1 or port forward if you like.


Log in to reply