NAT to duplicate address on multiple VLANs



  • We have packaging equipment that comes from the fabricator with three default addresses; 192.168.1.10, 192.168.1.20 and 192.168.1.30 with a gateway of 192.168.1.1.  We have 3 of the packagers on site.  For whatever reason, changing the addresses is a big deal.  The fabricators solution is to place a gateway with one-to-one NAT in front of each line.  So the gateways would have 9 addresses NAT-ed to the various packaging controller interfaces. 
    I would like to set up a VLAN per packager and then 1:1 NAT to a fourth VLAN for outside access.  I can not find a way to allow the same network on multiple interfaces. Our fallback is to run 3 pfSense instances on Virtual Box.


  • LAYER 8 Global Moderator

    you can not put the same networks on different vlans.  Their solution of putting a nat device in front of the devices..  What is this device?  Or is it going to be what you put in front.  If so then sure you could put pfsense vms in front.

    How big of a deal is it to just change the IPs to say 192.168.2.10, 2.20, 2.30 and 3.10, 3.20, 3.30, etc.. where the gateways would be 192.168.2.1 and 192.168.3.1, etc.



  • I've heard of such horrid scenarios in industrial automation. Apparently with some SCADA systems the world will come crashing down if X PLC isn't 192.168.1.10, Y HMI isn't 192.168.1.20, or what have you. Absurd, but SCADA is full of network and (in)security absurdities.

    It's not possible to have one machine with duplicated IPs existing simultaneously on multiple VLANs. You want to talk to 1.2.3.4 which is NATed to 192.168.1.10, there can only be one 192.168.1.10 as there is no possible way to differentiate which 192.168.1.10 you want - the NAT happens purely at layer 3.

    VMs (in a production server-grade hypervisor, not VirtualBox) could work. Multiple physical boxes would work.


Log in to reply