On 22/02/2014 20:43, Brian Candler wrote:
And has been pointed out already, you definitely don't want your OPT1
IP address to be in the same range as either the LAN or WAN subnets.
Each interface must be in a separate subnet. This is just how IP
routing works.
What may have caused confusion is the "proxy ARP" magic which goes along
with NAT, if the NAT public address is on the same subnet as the
firewall's WAN interface.
Let's say the pfsense firewall's WAN address is 192.0.2.1/29, and its
LAN address is 192.168.0.1/24. You have a VM connected to the firewall's
LAN interface on 192.168.0.2.
You could then set up 1:1 NAT between 192.0.2.2 and 192.168.0.2.
When an incoming packet arrives for 192.0.2.2, the firewall accepts the
packet on the WAN interface *as if it were for itself*. It then
translates the destination address to 192.168.0.2 and re-sends it out of
the LAN interface.
You could then do the same thing to map 192.0.2.3 to a private address
which is on the OPT1 network if you wanted. That VM really exists on the
OPT1 network (say 192.168.1.5), but incoming traffic is addressed to a
public IP on the WAN side of the network.
So you might be tempted to say that 192.0.2.3 is the public IP of "the
OPT1 network", but it isn't. It's a public IP on the WAN side, which
gets translated to some particular address on the OPT1 interface.
Indeed, using port forwarding NAT, one address could be shared between
different VMs, which could be on different networks. You might for
example port-forward 192.0.2.3 port 80 to 192.168.1.5 on the OPT1
interface, and forward 192.0.2.3 port 21 to 192.168.2.7 on the OPT2
interface.
Hope this doesn't make it any more confusing :-)
Regards,
Brian.
_______________________________________________
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list
