NAT from LAN to OPT1, OPT2, OPT3, OPT4 - SG-4860



  • Hi,

    I was woundering if it was possible to make a NAT setting, like my drawing attached.

    The hardware I will use is: SG-4860

    It has 6 ports, and i want to use them all.

    The LAN connection is a network where there will be a Server. (172.16.0.xxx / 255.255.248.0)

    The OPT1-4 will be a network for some equipment I want to access from the server. (All networks has 192.168.1.xxx / 255.255.255.0)

    The WAN connection will be the internet connection and I will forward port 80 to the server.

    So, if I want to access a device on OPT1 network will I on the server put in 172.16.1.xxx, OPT2 = 172.16.2.xxx, OPT3 = 172.16.3.xxx, OPT4 = 172.16.4.xxx
    And from the inside of the OPT# network will I also need to be able to connect to the Server on 172.16.1.xxx

    Is this possible?

    Best Regards,
    Rasmus Ramgaard


  • Banned

    @ramgaard:

    The OPT1-4 will be a network for some equipment I want to access from the server. (All networks has 192.168.1.xxx / 255.255.255.0)

    What??? You cannot have 4 interfaces on the same subnet. And there's no need to do anything at all wrt NAT to access things on LAN, except for setting up firewall rules to allow access on OPTx.



  • OPT1 - 192.168.1.0/24
    OPT2 - 192.168.2.0/24
    OPT3 - 192.168.3.0/24
    OTP4 - 192.168.4.0/24

    If all OPT nets owns a 192.168.1.0/24 network how should the SG unit knows to which OPT net
    it has to route the packets?

    The rest would be ok, otherwise if there is NAT made between the networks, how should then
    the OPT1 - 4 connect form the outside to the server?


  • Rebel Alliance Developer Netgate

    The only way that sort of setup will work is if there is an additional firewall on each leg doing the extra NAT. As the others said, you can't have the same subnet on multiple interfaces in that way. Not only does it require NAT like you show, but that NAT has to be performed by something on the other end of the lines.

    If each of those additional sites had their own firewall and the "main" pfSense unit only saw your 172 subnets that would work fine, but something has to be in place to ensure that no one device sees the same subnet on multiple interfaces.