Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Group NAT to Single IP

    Scheduled Pinned Locked Moved NAT
    5 Posts 3 Posters 2.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      southfork
      last edited by

      Hello, here is my setup.

      WAN1 IP = a.b.c.2/24 | Gateway = a.b.c.1
      WAN2 IP = d.e.f.2/24 | Gateway = d.e.f.1

      LAN1 IP = 192.16.8.2 | Firewall rule 192.168.1.0/24 use WAN1 gateway
      LAN2 IP = 10.0.0.2/24 | Firewall rule 10.0.0.0/24 use WAN1 gateway
      LAN3 IP =172.17.1.2/24 | Firewall rule 172.16.1.0/24 use WAN2 gateway

      I need to NAT a range of IPs on LAN3 to a single IP address on WAN2,  example: IP range 172.16.1.100 thru 172.16.1.150 to use public IP address of d.e.f.76 only.  Everyone else on the 172.16.1.0 subnet to use the public IP address of d.e.f.2.

      Would I use outbound NAT or VIP, or both?

      1 Reply Last reply Reply Quote 0
      • GruensFroeschliG
        GruensFroeschli
        last edited by

        I assume you already created a VIP for d.e.f.76

        First change your firewall-rules

        Create an alias for the IP-ranges you want.
        Change the rules on your LAN interfaces so that you have a rule for every IP-range you have.
        Set as source your IP-range alias and as gateway the WAN you want.

        Second activate Advanced Outbound NAT.

        Create a rule ABOVE the rule that NAT's your subnet's to a specific interface.
        Set as source your IP-range (too bad you cannot use aliases in AoN-rules…)
        Set as translation adress your VIP.

        I didnt test that but i think this is the way you should do it.

        We do what we must, because we can.

        Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

        1 Reply Last reply Reply Quote 0
        • S
          southfork
          last edited by

          @GruensFroeschli:

          I assume you already created a VIP for d.e.f.76

          First change your firewall-rules

          Create an alias for the IP-ranges you want.
          Change the rules on your LAN interfaces so that you have a rule for every IP-range you have.
          Set as source your IP-range alias and as gateway the WAN you want.

          Second activate Advanced Outbound NAT.

          Create a rule ABOVE the rule that NAT's your subnet's to a specific interface.
          Set as source your IP-range (too bad you cannot use aliases in AoN-rules…)
          Set as translation adress your VIP.

          I didnt test that but i think this is the way you should do it.

          Thanks for your reply.

          Yes, I have setup a VIP for d.e.f.76.

          Should I set Outbound NAT to manual or leave it as automatic?

          1 Reply Last reply Reply Quote 0
          • H
            hoba
            last edited by

            You need to specify manual outbound nat rules for this. Don't forget that they are first match wins, just like firewallrules so you should have some default catch all other traffic rules at the bottom (a default lan to wan rule will be created for you automatically when enabling advanced outbound nat). You of course need that for all your WANs and LANs or you'll break connectivity.

            1 Reply Last reply Reply Quote 0
            • S
              southfork
              last edited by

              Looks like that got it.  Thanks for the info.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.