NAT on an entire subnet
-
Hi All,
First post, and I suppose it's a bit of a corker, and although I think it can be done, I've had no success in getting the internal networks to NAT out on all IPs within an entire subnet on the WAN interface.I've read a variety of howtos, tutorials, and wikis, and although they're pretty similar to what I'm wanting to do, the worst I've managed is breaking the outgoing traffic, and the best I've managed is maintaining the current NAT on a single IP.
For reference, we use a client/server application, that communicates over a VPN to the servers on the remote subnet with the pfSense firewall handling the NAT/traffic for all of the networks behind the LAN subnet through to the remote subnet at the other side of the VPN. However the pfSense does not handle the VPN tunnel itself, that is handled by another bit of hardware.
All IP ranges involved on local and remote ends are from private IP address ranges. There are no duplicate subnets on the LAN and WAN side, so there's no routing issues. The local VPN subnet is 172.16.23.0/24 and the remote 172.16.128.0/17. The pfSense currently sits with a WAN IP address of 172.16.177.1, which everything NATs through. There are no local restrictions to the remote subnet, with one incoming rule allowing traffic to a local IP on a certain port.
We were advised that to increase performance of the client application to change from a single NAT to a range of IP addresses. I've looked at a variety of tutorials and the like, and as I mentioned earlier, I have never found a suitable answer that relates directly to this type of setup, with results that range from no communications at all, to the status quo of a single IP address NAT remaining no matter what I change.
One of the main docs I keep returning to is https://doc.pfsense.org/index.php/Outbound_NAT, and using Proxy ARP, but I think I'm missing something somewhere on how to setup the actual available WAN addresses.
If anyone can help point me in the right direction that would be seriously appreciated.
Cheers,
Mark -
"All IP ranges involved on local and remote ends are from private IP address ranges. There are no duplicate subnets on the LAN and WAN side,"
Then what is the purpose of the NAT in the first place – why would you be natting anything in such a setup?
-
Because there is an internet in between those sunbnets is a good starting point. ;D
We were given a VPN setup by the remote company that we're accessing, along with subnets to use, protocols, and communications requirements. Because the remote company handles traffic for more than just ourselves, and so work with a variety of places all using private addressing schemes, they placed this requirement upon us to reduce their complexity, routing, security, etc.
If we remove NAT, plain old routing doesn't work. We can't change it, they won't change it, and we are required to use this service, so the status quo remains.
Which means that I'm still asking for help on attempting to setup NAT for an entire range of IP addresses from a /24 subnet on the WAN port of the pfSense firewall.
Cheers,
Mark -
There are two things you have to worry about: Translating the traffic and making sure traffic for the translated subnet returns back to pfSense
1. Add 1:1 NAT to map the LAN subnet to the translated subnet on WAN (interface = WAN, external subnet IP = translated subnet address, internal IP = your LAN subnet with the right mask, destination = the remote VPN subnet so it won't affect other traffic leaving)
2. Add a static route in the upstream device (not this pfSense box!) to send that translated subnet to the WAN IP address of pfSenseSince it hits the VPN on the next hop up that should still only end up being one layer of NAT
