Setting Up Two LANs With NAT Between Them
-
I've been looking around, but I haven't found any other issues quite like this. I apologize if this posted in the wrong section.
I have PFsense 2.2.1 running on a box with four NICs. I need to use three of them.
NIC 1 - WAN
NIC 2 - My internal LAN
NIC 3 - An external LAN that I don't controlThe external LAN, I don't have much visibility into. From my understanding it is a dumb switch set up for our building to do file sharing/gaming/ect. The IP scheme they set up is 10.0.X.0/16, where X is your room number. There is no router, DHCP, or other services on this external LAN.
What I am looking to do is NAT my internal LAN (192.168.0.0/24) to the external LAN, and also not allow the external LAN to use my WAN. I'd like to have a couple of devices, such as my NAS and gaming PC, accessible from the external LAN, but I would also like to get to the external LAN from any of my devices.
I've tried a few different configurations that haven't been fruitful. Basically, I put the gateway for the external LAN NIC as the IP for the external LAN NIC (10.0.219.1/16) because there is no router on the other side and set up some 1:1 NAT translations for my NAS and gaming PC. I put rules on my internal LAN and external LAN NICS to allow those subnets through, but I haven't gotten it to work.
Am I on the right track? Does anyone have any insights that can help me out?
Thanks in advance!
-
Not really sure what you are inventing here? Set up some static IP from 10.0.x.0 with NO gateway on your external LAN. Why 1:1 NAT?
-
I know this is an odd situation. Whomever set up the building's LAN either didn't have the equipment or expertise to set it up a little better.
What they wanted me to do was just put my devices in the IP space of 10.0.219.0/24 because my room is 219. The building's LAN is just a dumb switch where everyone just puts their devices in their little piece with a subnet mask of /16.
I'm not comfortable with having all my devices accessible, and also I would have to disconnect from that network to hook up to my Internet connection. I'm trying to keep all the devices in my room in my little internal LAN that can reach the Internet, but also share out a few select devices with the external LAN and get to other people's shares as well.
I hope I explained that a little better.
I was thinking 1:1 NAT translation for the two hosts on the internal 129.168.0.0/24 LAN would allow IP's on the 10.0.0.0/16 LAN to get to my selected devices. For example, my NAS is 192.168.0.5 so I made a 1:1 translation to 10.0.219.5 on the external LAN NIC because other people's devices on the external LAN have no way to route to 129.168.0.0/24 network.
Was my thinking off there?
Thanks for your help! I've been running PFsense for years but never had to set up anything this complicated. It's always just been a single LAN, single WAN setup.
-
I've attached a network diagram here to help out.
-
Frankly, there's no way I'd allow access for such unmanaged mess to my trusted LAN. If you have four NICs, set up a DMZ for the devices you want accessible there.
(There is no problem with LAN -> BS net access, it gets routed normally by pfSense.)
-
This looks like nothing special. Just follow all the existing 1:1 NAT instructions. Treat the interface to the external LAN as another WAN. It's not really a WAN, but should be treated as hostile like one.
As was mentioned it certainly would be better to put the 1:1 NAT PCs in a DMZ, but 1:1 NAT from the External LAN is no worse than from WAN.
I'm not going to comment on the obvious security concerns with sharing your NAS and PC using 1:1 NAT to a hostile network with wide-open firewall rules.
-
I did finally get it to work late last night with NAT. I made a virtual IP and added some port forwarding.
I put rules to only allow SAMBA and ICMP to my NAS, I haven't opened up anything to my gaming PC yet.
What I am trying to figure out now is if I can get SSDP to forward through that interface. I have seen a few threads on this forum, but it didn't seem like there are any conclusive answers. I'd like it if my NAS would show up under "network" on other peoples machines because they don't seem to be too tech savvy around here and it would save me a lot of redundant conversations.