NAT a /25 IP Block



  • Hey.

    I work for a company that has a /25 block and we need to setup a NAT configuration type with certain ports open for any given IP. I've been searching around the forum and unless I missed a thread, I haven't seen any other scenario like our own.
    My worst fear is that I'll have to add every single IP as a VIP and port forward this way. Ideally we'd like to be able to simply put in the block and configure each open port in the rules section. What would be the best and most efficient way to configure pfSense to NAT all these IPs?

    Internal net: 10.1.1.128/25
    External Net: 192.168.1.128/25



  • If pfSense can't do what I need it to do, what do you guys recommend for router software? I haven't tried Vyatta yet, but it looks promising. Endian worked fairly well, but we faced the same scenario with having to add every IP to the interface alias list. Recommendations welcome!



  • I dont see why pfSense cannot do it.
    Why dont you just set up a testnetwork and try?



  • when you setup your lan interface specify the subnet to be /25 instead of the default /24.
    this should autocreate the nat rule you require.



  • You are talking about outbound NAT.
    tjm is talking about inbound NAT.



  • then I recommend using M0n0Wall Instead of pfsense. It has proxy arp option along with Firewall: NAT: Edit 1:1.



  • And pfSense doesnt? ???

    You should pay a visit to "Firewall" –> "Virtual IPs"



  • When we tried setting up a 1:1 NAT with a single VIP IP range, we got an error saying you can't use the WAN ip address in a 1:1 rule. I would think that pfSense would have the option to force this rule and then automatically create an exception for the WAN IP address. So far, the only way that worked the way we need it to is to add a range of individual IPs to the VIPs and then port forward them individually, which we don't look forward to doing with all 125 IPs.



  • Well you could do it like this:

    Internal net: 10.1.1.128/25
    External Net: 192.168.1.128/25

    translates to

    10.1.1.192/26  to  192.168.1.192/26
    10.1.1.160/27  to  192.168.1.160/27
    10.1.1.144/28  to  192.168.1.144/28
    10.1.1.136/29  to  192.168.1.136/29
    10.1.1.132/30  to  192.168.1.132/30
    10.1.1.130/31  to  192.168.1.130/31
    10.1.1.129/32  to  192.168.1.129/32

    like this you dont have to create 125 rules but only 7


Log in to reply