Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [Solved] Multiple subnet on WAN Interface, single GW, natting

    Scheduled Pinned Locked Moved NAT
    7 Posts 4 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      siberian
      last edited by

      Hi everybody.
      I've searched the forum, but I haven't found anything useful for my problem.

      This is my situation:

      172.20.30.0/24 ==== LAN1(172.20.30.254)  _________
      172.20.31.0/24 ==== LAN2(172.20.31.254) |        | 
      172.20.32.0/24 ==== LAN3(172.20.32.254) | pfSense | WAN(10.215.221.181) ==== (10.216.221.177) ISP_GW === WORLD
                    ==== ….                |_________|                10.215.221.176/29
      172.20.3x.0/24 ==== LANx(172.20.3x.254)                            10.215.221.0/25

      My ISP has assigned to us 2 subnets (I'll use here private IPs 10.x.x.x, but they are public):

      1. 10.215.221.176/29
        10.215.221.177 is the default gw.
        I've configured the pfsense WAN interface with 10.215.221.181

      2. 10.215.221.0/25: this network is routed from the ISP to the address 10.215.221.181

      Now what I need is to be able to use the IP addresses in 10.215.221.0/25 subnet to NAT 1:1 servers in the LANs.
      I've managed to obtain this result with a Linux box with a few simple iptables DNAT/SNAT rules, but, so far, I had no luck with pfSense.

      In pfSense I've tried to define virtual IPs, but the virtual IPs not included in the same netmask of the gateway seems to be unreacheable and natting is not working.

      Any suggestion? Or any link where I can find useful howto, tutorial, informations?

      Thank You

      Eugenio

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        If they are routed to you, why would you not put them on your lan side?

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • S
          siberian
          last edited by

          @johnpoz:

          If they are routed to you, why would you not put them on your lan side?

          Do you mean I should assign public addresses to servers in every single LAN (or OPTx) network?
          I see 2 problems with this solution

          1. simply… I can't assign pubblic addresses to the hosts in LAN (it's a policy, I can't do anything about it)
          2. even if i could, wouldn't be necessary to split the 10.215.221.0/25 in order to have a different subnet (and gateway) for every LAN interface? I can't waste so many addresses :)

          Thank you

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            Dude I don't know what you wanted to do with those networks - but you stated they are ROUTED too you.. So you route them, why would the server that need IPs your wanting to 1:1 with not just have that IP in its own segment?

            Sounds like you just want more addresses that your ISP routes, ie would have gateway they manage.  But the way you worded the post they routed those network to your public IP.

            1. 10.215.221.0/25: this network is routed from the ISP to the address 10.215.221.181

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • M
              mikeisfly
              last edited by

              Along the lines of what JohnPoz is stating, does your ISP running a routing protocol (BGP)? Usally I have seen a /30 between the user and the ISP and then you user can use there Larger network as they see fit. Is your /25 from your ISP or did you get them from ARIN?

              1 Reply Last reply Reply Quote 0
              • dotdashD
                dotdash
                last edited by

                Try creating an alias on the WAN like 10.215.221.1/25, then create CARP VIPs for 10.215.221.2,3,4,etc. Then use the CARP VIPs for 1-1s or port forwards. You should also be able to use 'Other' VIPs, but CARP type are more flexible.

                1 Reply Last reply Reply Quote 0
                • S
                  siberian
                  last edited by

                  @dotdash:

                  Try creating an alias on the WAN like 10.215.221.1/25, then create CARP VIPs for 10.215.221.2,3,4,etc. Then use the CARP VIPs for 1-1s or port forwards. You should also be able to use 'Other' VIPs, but CARP type are more flexible.

                  Great, it works perfectly, even if I don't create the alias on the WAN, just  with the CARP VIPs.

                  Thank you!

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.