Ack Basward nat config



  • Greetings all. Joedirt here and I am a novist at most. I am 16 years old and I am striving to learn bsd. I am setting up a test lab of the following but must be doin something wrong.

    Wan– 192.168.1.10/24 -- (PF1) --Lan DHCP 10.0.0.1/8 {Swich} Wan -- 10.0.0.3/8-- (PF2 Bridged) --Lan 10.0..0.2/8 {WIFI} Wan 10.0.0.132 {PF3 Infrastructure} --Lan DHCP 192.168.2.1/24-- DMZ Server 192.168.2.10

    or should it be

    Wan-- 192.168.1.10/24 -- (PF1) --Lan DHCP 10.0.0.1/8 {Swich} Wan -- 10.0.0.3/8-- (PF2 Not Bridged) --Lan DHCP 192.168.2.1/24 {WIFI} Wan 192.168.2.10/24 {PF3 Infrastructure} --Lan DHCP 10.0.0.2/24-- DMZ Server 10.0.0.3.10

    My question is this. I would like to be amble to route DMZ out the start Wan. Which one of these layouts should I use (if any)?
    I read a lot of posts and I am thinking that I may need VIP, but have no idea of what (pf) to put it on or how to config.
    Please someone point me in a good direction. Thanks



  • Your ASCII-art-skills need an update ;)
    Can you redraw, since with your current drawing it's not possible to see what your're trying to do :)



  • I am very sorry not sure how to do this will try till i get it though. I am trying to setup a gateway server pf1 to route a wired connection to a Wrap AP pf2 then to a wifi client infrastructure Wrap pf3 then wired to a DMZ. If this makes any sense, I would like to be able to access the DMZ from the outside of the dell 2400.

    (PF1 dell 2400)Wan 192.168.1.10/24–-Lan DHCP 10.0.0.1/8

    {Swich}

    Wan 10.0.0.3/8---Lan 10.0..0.2/8 (PF2 Bridged)

    {WIFI}

    {PF3 Infrastructure}Wan 10.0.0.132  --Lan DHCP 192.168.2.1/24

    DMZ Server 192.168.2.10

    or should it be

    (PF1 Dell 2400) Wan 192.168.1.10/24---10.0.0.1/8 Lan DHCP

    {Wired Swich}

    (PF2 Not Bridged)

    Wan 10.0.0.2/8---Lan DHCP 192.168.2.1/24

    {WIFI}

    {PF3 Infrastructure}

    Wan 192.168.2.10/24 --Lan DHCP 10.0.0.2/8

    {Wired Swich}

    DMZ Server 10.0.0.3/8



  • You kind of mix the subnets around.
    Want is on the WAN of your pfSense1? Another router? no public IP?

    ? ? ?
                                |
                  WAN 192.168.1.10/24
                    pfSense1 dell2400
                      LAN 10.0.0.1/8
                                |
                                |
                                |wired
                                |
                                |
                      WAN 10.0.0.3/8
                          pfSense2
                      LAN 10.0.0.2/8
                                |
                                |
                                |wireless
                                |
                                |
                      WAN 10.0.0.132/8
                          pfSense3
                      LAN 192.168.2.1/24
                                |
                                |
                                |
                                |
                      192.168.2.10/24
                            Server

    This is your first proposal. It should work.
    But why so many subnets?

    Your second proposal has twice the same subnet.
    You cannot route if you have multiple times the same subnet in the same network.
    (unless you NAT, but then it's no longer "routing" in the common sense)



  • Thank you for the help. I have a public IP dmz to the gateway wan. Were would I put the vip info at. On pf1 pf2 or pf3? and would I honly have to nat the pf3 and pf1?
    Thanks  |

    Pubic IP
                                l
               Rouer DMZ to 192.168.1.10/24
                                l
                  WAN 192.168.1.10/24
                    pfSense1 dell2400
                       LAN 10.0.0.1/24
                                |
                                |
                                |wired
                                |
                                |
                      WAN 10.0.0.3/24
                          pfSense2
                       LAN 10.0.0.2/24
                                |
                                |
                                |wireless
                                |
                                |
                      WAN 10.0.0.132/24
                          pfSense3
                       LAN 192.168.2.1/24
                                |
                                |
                                |
                                |
                       192.168.2.10/24
                             Server



  • You dont need any VIP's unless you're NAT from an IP that doesnt exist yet in this setup.

    You only create one NAT-forward rule. pointing directly to the server IP.
    On pfSense1. Create a static route for the 192.168.2.0/24 subnet pointing to 10.0.0.132/8 in the diagramm.

    But to be honstest: why do you use a /8 subnet there?
    Is a /24 not sufficient?

    Also make sure that your firewall-rule on pfSense1 allows the IP range behind pfSense3



  • Thank you so much for ths info. I will test it this weekend and get let you know how I made out



  • Having trouble visualizing what the firewalls should look like to allow the server to be dmz out the wan. I have taken your advise an changed the /8 to be a /24 like the rest of the network. (See last diagram) I am very excited about this GruensFroeschli  you rock.


Log in to reply