Private Network With No Router

  • I've been attempting to implement something with pfSense that I thought would be a simple use of some 1:1 NAT, but after much experimentation, I'm not getting anywhere and I'm starting to question if it's even possible.

    I've included what I hope will be a useful visual aid (You may need to scroll left & right to see it all.):

    What I'm hoping to configure is a setup where hosts on the left can access the host on the right, via a VIP on the 'WAN' interface of the pfSense box.  The monkey wrench in the works here is that the subnet on the right has no route off of it.  The hosts that sit there have no router configured, nor can I configure one.  (They're part of a rack of equipment that's sold as a "product" and we can't modify their config.)

    My thought was if packets from the left side of the diagram could be "re-written" so that they hit the node on the right with the pfSense machine's 'LAN' IP of as the source IP.  Then the node would respond with the IP as the destination IP, and then the pfSense machine would re-write the packets so they would route back to the originating host on the left side of the diagram, all providing transparent access to the node.

    Is this possible?  Is pfSense the right tool?

    Thanks in advance for your consideration of my crazy ideas.


  • This is certainly doable with pfsense. I have done the same thing in my lab for some speed testing. I think you will need to setup manual outbound NAT since NAT is usually only completed on the WAN interface by default. Basically you would need to access, that 1:1 NAT will change the destination, but not the source to The host on the right would still get the remote IP of the machine that is communicating to it. So you are going to have to switch to manual outbound NAT and add a LAN entry to change anything going to to the LAN IP or a VIP on the LAN side of pfsense.
    This way the machine talks to the VIP or LAN IP of pfsense.
    Normal 1:1 would probably work if you swapped LAN and WAN on pfSense such that all that on the left is LAN and everything on the right is WAN. Then you just have to make sure that your main router (if not pfsense) routes data destined for to the LAN ip of pfSense. After that 1:1 NAT works with no further changes.

  • Could you elaborate more on this part?:

    "add a LAN entry to change anything going to to the LAN IP or a VIP on the LAN side of pfsense."


  • If you enable manual outbound NAT, you can specify a rule on the LAN interface that changes anything destined to to use the LAN interface address or a VIP. Just like creating a manual WAN rule. I really think the other way would be less "complicated". It up to you.

Log in to reply