Re: [pfSense Support] Specific NAT question.

Mon, 28 May 2007 08:03:05 -0700 

On 5/28/07, David Strout <[EMAIL PROTECTED]> wrote:

I have a specific need to allow clients of a
private net (connected to OPT3 w/ 10.10.10.0/24
reserved DHCP addresses) to connect to the LAN net
(145.191.112.0/20 > static addresses via DHCP
reservations).  BTW only a small supernet of
address are attached to the pfS box
(145.191.114.0/23).

The issues is that there are servers in the LAN
that the clients of the OPT3 network need access
to and these servers REQUIRE 145.191.x.x address
to access them.  These admin will NOT allow
private address space to access their servers
(tcpwrappers, iptables and other SELinux methods).
 They are not willing to budge on this ..... so my
thinking is that I can set up a NAT pool to NAT
the OPT3 addresses (10.10.10.x) to some open LAN
address space (145.191.x.x).

I have tried slicing off a very little subnet
255.255.255.242 of the OPT3 net and doing some 1:1
NAT with these addresses and those of the LAN in
the same way, but I have had very little luck.

QUESTION I
Is this type of NAT setup even possible?


Yep.  You'll need to perform a little trickery here :)

Create a VIP on the LAN subnet (proxy arp, carp...whatever, don't use
Other unless that address is actually routed to you)
Setup advanced outbound NAT
Create a NAT entry on LAN for the OPT3 source traffic and NAT the
outbound traffic as the new VIP you created in the LAN subnet
Rules as normal (post NAT... 10/8 -> 145.191..x


QUESTION II
Do the subnets have to match on either side of the
NAT schema?

QUESTION III
I am using 1:1 because I want to control which
OPT3 clients have access into the LAN (is this
correct thinking)?


No need.  The rules will be on the OPT3 interface, you'll see the
actual source IP.  Check out
http://homepage.mac.com/quension/pf/flow.png to understand the traffic flow.


QUESTION IV
Do I have to get the admins of the routable LAN
net to carve out a specific subnet for me to use
the 1:1 NAT schema?


Nope, you just need to use VIPs - either proxy arp, or carp.  If they
can route you address space, then you can use other (I like this
option as you don't have to create any "real" vips on the machine)

--Bill

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to