[Solved] Multiple subnet on WAN Interface, single GW, natting



  • Hi everybody.
    I've searched the forum, but I haven't found anything useful for my problem.

    This is my situation:

    172.20.30.0/24 ==== LAN1(172.20.30.254)  _________
    172.20.31.0/24 ==== LAN2(172.20.31.254) |        | 
    172.20.32.0/24 ==== LAN3(172.20.32.254) | pfSense | WAN(10.215.221.181) ==== (10.216.221.177) ISP_GW === WORLD
                  ==== ….                |_________|                10.215.221.176/29
    172.20.3x.0/24 ==== LANx(172.20.3x.254)                            10.215.221.0/25

    My ISP has assigned to us 2 subnets (I'll use here private IPs 10.x.x.x, but they are public):

    1. 10.215.221.176/29
      10.215.221.177 is the default gw.
      I've configured the pfsense WAN interface with 10.215.221.181

    2. 10.215.221.0/25: this network is routed from the ISP to the address 10.215.221.181

    Now what I need is to be able to use the IP addresses in 10.215.221.0/25 subnet to NAT 1:1 servers in the LANs.
    I've managed to obtain this result with a Linux box with a few simple iptables DNAT/SNAT rules, but, so far, I had no luck with pfSense.

    In pfSense I've tried to define virtual IPs, but the virtual IPs not included in the same netmask of the gateway seems to be unreacheable and natting is not working.

    Any suggestion? Or any link where I can find useful howto, tutorial, informations?

    Thank You

    Eugenio


  • Rebel Alliance Global Moderator

    If they are routed to you, why would you not put them on your lan side?



  • @johnpoz:

    If they are routed to you, why would you not put them on your lan side?

    Do you mean I should assign public addresses to servers in every single LAN (or OPTx) network?
    I see 2 problems with this solution

    1. simply… I can't assign pubblic addresses to the hosts in LAN (it's a policy, I can't do anything about it)
    2. even if i could, wouldn't be necessary to split the 10.215.221.0/25 in order to have a different subnet (and gateway) for every LAN interface? I can't waste so many addresses :)

    Thank you


  • Rebel Alliance Global Moderator

    Dude I don't know what you wanted to do with those networks - but you stated they are ROUTED too you.. So you route them, why would the server that need IPs your wanting to 1:1 with not just have that IP in its own segment?

    Sounds like you just want more addresses that your ISP routes, ie would have gateway they manage.  But the way you worded the post they routed those network to your public IP.

    1. 10.215.221.0/25: this network is routed from the ISP to the address 10.215.221.181


  • Along the lines of what JohnPoz is stating, does your ISP running a routing protocol (BGP)? Usally I have seen a /30 between the user and the ISP and then you user can use there Larger network as they see fit. Is your /25 from your ISP or did you get them from ARIN?



  • Try creating an alias on the WAN like 10.215.221.1/25, then create CARP VIPs for 10.215.221.2,3,4,etc. Then use the CARP VIPs for 1-1s or port forwards. You should also be able to use 'Other' VIPs, but CARP type are more flexible.



  • @dotdash:

    Try creating an alias on the WAN like 10.215.221.1/25, then create CARP VIPs for 10.215.221.2,3,4,etc. Then use the CARP VIPs for 1-1s or port forwards. You should also be able to use 'Other' VIPs, but CARP type are more flexible.

    Great, it works perfectly, even if I don't create the alias on the WAN, just  with the CARP VIPs.

    Thank you!