Disable NAT for set of IPs whilst retaining for others



  • My ISP gives me a /29 range, which it routes to my pfSense box. I use 5 IPs from this range for hosts within my network. This is currently set up using 1:1 NAT – each of the 5 hosts has a private 192.168.0.x IP, which has a 1:1 mapping to one of the public IPs. I write firewall rules using the private IPs, and have reflection enabled such that the hosts can use the public IPs internally. However, I don't want the 5 hosts to have private IPs at all.  I want each of them to use only its public IP statically. I believe that this will involve disabling NAT (and perhaps adding static routes?), but I still need NAT for IPs outside this set of five.

    How can I achieve this?

    This seems like a basic question, but I've struggled to work it out after much reading and am reluctant to experiment blindly. I've found this forum incredibly useful resource over the years -- thank you, and thanks in advance for any help you can offer on this subject :)


  • LAYER 8 Netgate

    Since the subnet is routed to you it's easy.

    Disable/delete all the VIPs and the 1:1

    Create an interface using your /29 (You will lose 3 of 8 addresses, Network, Broadcast, and pfSense interface.)

    Enable manual outbound NAT and delete/disable the NAT rules for the /29

    Pass traffic to the real IP addresses on WAN and pass traffic you want to go out on the new interface.

    Put your servers on the new interface with their Ethernet configured for the /29.

    ETA:

    My ISP gives me a /29 range, which it routes to my pfSense box.

    I might have been misreading you there. Is the pfSense WAN address the first address in this /29? If so this won't work.

    What you want is for your ISP to make an interface subnet, say a /30 and route the /29 to the WAN address on that.

    The only way to do what you want with just the one subnet is 1:1 like you're doing and bridging, which is ugly. Uglier than 1:1 NAT.



  • @Derelict:

    ETA:

    My ISP gives me a /29 range, which it routes to my pfSense box.

    I might have been misreading you there. Is the pfSense WAN address the first address in this /29? If so this won't work.

    What you want is for your ISP to make an interface subnet, say a /30 and route the /29 to the WAN address on that.

    The only way to do what you want with just the one subnet is 1:1 like you're doing and bridging, which is ugly. Uglier than 1:1 NAT.

    My pfSense WAN is the penultimate address in the /29. According to my ISP, the first address is the "network address", the penultimate the "router address" (pfSense WAN IP) and the last IP is the broadcast address.

    Thanks, and sorry if my terminology wasn't accurate!


  • LAYER 8 Netgate

    Yeah. Ask your ISP to give you another subnet for the interface and route the /29 to that. Else just leave it alone.


Log in to reply