Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    NAT a /25 IP Block

    Scheduled Pinned Locked Moved NAT
    9 Posts 3 Posters 4.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      tjm
      last edited by

      Hey.

      I work for a company that has a /25 block and we need to setup a NAT configuration type with certain ports open for any given IP. I've been searching around the forum and unless I missed a thread, I haven't seen any other scenario like our own.
      My worst fear is that I'll have to add every single IP as a VIP and port forward this way. Ideally we'd like to be able to simply put in the block and configure each open port in the rules section. What would be the best and most efficient way to configure pfSense to NAT all these IPs?

      Internal net: 10.1.1.128/25
      External Net: 192.168.1.128/25

      1 Reply Last reply Reply Quote 0
      • T
        tjm
        last edited by

        If pfSense can't do what I need it to do, what do you guys recommend for router software? I haven't tried Vyatta yet, but it looks promising. Endian worked fairly well, but we faced the same scenario with having to add every IP to the interface alias list. Recommendations welcome!

        1 Reply Last reply Reply Quote 0
        • GruensFroeschliG
          GruensFroeschli
          last edited by

          I dont see why pfSense cannot do it.
          Why dont you just set up a testnetwork and try?

          We do what we must, because we can.

          Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

          1 Reply Last reply Reply Quote 0
          • C
            cdsu
            last edited by

            when you setup your lan interface specify the subnet to be /25 instead of the default /24.
            this should autocreate the nat rule you require.

            1 Reply Last reply Reply Quote 0
            • GruensFroeschliG
              GruensFroeschli
              last edited by

              You are talking about outbound NAT.
              tjm is talking about inbound NAT.

              We do what we must, because we can.

              Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

              1 Reply Last reply Reply Quote 0
              • C
                cdsu
                last edited by

                then I recommend using M0n0Wall Instead of pfsense. It has proxy arp option along with Firewall: NAT: Edit 1:1.

                1 Reply Last reply Reply Quote 0
                • GruensFroeschliG
                  GruensFroeschli
                  last edited by

                  And pfSense doesnt? ???

                  You should pay a visit to "Firewall" –> "Virtual IPs"

                  We do what we must, because we can.

                  Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

                  1 Reply Last reply Reply Quote 0
                  • T
                    tjm
                    last edited by

                    When we tried setting up a 1:1 NAT with a single VIP IP range, we got an error saying you can't use the WAN ip address in a 1:1 rule. I would think that pfSense would have the option to force this rule and then automatically create an exception for the WAN IP address. So far, the only way that worked the way we need it to is to add a range of individual IPs to the VIPs and then port forward them individually, which we don't look forward to doing with all 125 IPs.

                    1 Reply Last reply Reply Quote 0
                    • GruensFroeschliG
                      GruensFroeschli
                      last edited by

                      Well you could do it like this:

                      Internal net: 10.1.1.128/25
                      External Net: 192.168.1.128/25

                      translates to

                      10.1.1.192/26  to  192.168.1.192/26
                      10.1.1.160/27  to  192.168.1.160/27
                      10.1.1.144/28  to  192.168.1.144/28
                      10.1.1.136/29  to  192.168.1.136/29
                      10.1.1.132/30  to  192.168.1.132/30
                      10.1.1.130/31  to  192.168.1.130/31
                      10.1.1.129/32  to  192.168.1.129/32

                      like this you dont have to create 125 rules but only 7

                      We do what we must, because we can.

                      Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.