4. Group NAT to Single IP

Group NAT to Single IP

  • S

    Hello, here is my setup.

    WAN1 IP = a.b.c.2/24 | Gateway = a.b.c.1
    WAN2 IP = d.e.f.2/24 | Gateway = d.e.f.1

    LAN1 IP = 192.16.8.2 | Firewall rule 192.168.1.0/24 use WAN1 gateway
    LAN2 IP = 10.0.0.2/24 | Firewall rule 10.0.0.0/24 use WAN1 gateway
    LAN3 IP =172.17.1.2/24 | Firewall rule 172.16.1.0/24 use WAN2 gateway

    I need to NAT a range of IPs on LAN3 to a single IP address on WAN2,  example: IP range 172.16.1.100 thru 172.16.1.150 to use public IP address of d.e.f.76 only.  Everyone else on the 172.16.1.0 subnet to use the public IP address of d.e.f.2.

    Would I use outbound NAT or VIP, or both?

    0

  • I assume you already created a VIP for d.e.f.76

    First change your firewall-rules

    Create an alias for the IP-ranges you want.
    Change the rules on your LAN interfaces so that you have a rule for every IP-range you have.
    Set as source your IP-range alias and as gateway the WAN you want.

    Second activate Advanced Outbound NAT.

    Create a rule ABOVE the rule that NAT's your subnet's to a specific interface.
    Set as source your IP-range (too bad you cannot use aliases in AoN-rules…)
    Set as translation adress your VIP.

    I didnt test that but i think this is the way you should do it.

    0
  • S

    @GruensFroeschli:

    I assume you already created a VIP for d.e.f.76

    First change your firewall-rules

    Create an alias for the IP-ranges you want.
    Change the rules on your LAN interfaces so that you have a rule for every IP-range you have.
    Set as source your IP-range alias and as gateway the WAN you want.

    Second activate Advanced Outbound NAT.

    Create a rule ABOVE the rule that NAT's your subnet's to a specific interface.
    Set as source your IP-range (too bad you cannot use aliases in AoN-rules…)
    Set as translation adress your VIP.

    I didnt test that but i think this is the way you should do it.

    Thanks for your reply.

    Yes, I have setup a VIP for d.e.f.76.

    Should I set Outbound NAT to manual or leave it as automatic?

    0
  • H

    You need to specify manual outbound nat rules for this. Don't forget that they are first match wins, just like firewallrules so you should have some default catch all other traffic rules at the bottom (a default lan to wan rule will be created for you automatically when enabling advanced outbound nat). You of course need that for all your WANs and LANs or you'll break connectivity.

    0
  • S

    Looks like that got it.  Thanks for the info.

    0
Log in to reply
 

Products

Applications

Support

Services

News

Resources

Company

Our Mission

As host of the pfSense open source firewall project, Netgate believes in enhancing network connectivity that maintains both security and privacy. We also believe everyone should be able to afford it.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy