Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


PfSense: how to NAT and use LAN IPs to access services

Posted on 2012-03-16
Medium Priority
Last Modified: 2012-03-18
I have a question that I'm not sure is possible. I have pfSense set up to where the WAN ip is an ip address on my main data network. The LAN ip on the second nic is a172.0.2.x ip. That network will be used as a staging and integration network that I would like to keep as seperate as possible. So I installed pfSense. My issue is that I want to be able to block all ports except for the ones i want to go to the 172.x.x.x network. However, i would like to be able to use the 172.x.x.x network ips to access ports for servers in that network. for example:

i might have 2 servers, lets say and one i want to ssh to and the other i want to open a web port and access from my 192.168.x.x network. so ill be on a machine with an ip of lets say and i want to ssh using putty to currently i have to use the ip of the WAN nic and it will NAT port 22 to

is it possible to just use the 172.x.x.x ips? i can add a route that will route all 172.x.x.x traffic to the WAN ip of the nic on the pfSense machine.

the pfSense machine is on a vmware esxi host with 2 nics.
Question by:msidnam
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
LVL 51

Expert Comment

ID: 37732709
1. 172.0.2.x is LAN, right?
2. 172.x.x.x is WAN. right?
3. where is 192.168.x.x?
LVL 21

Accepted Solution

Daniel McAllister earned 2000 total points
ID: 37732899
I'll talk about NATing in a moment... FIRST, I want to talk about your choice of a LAN address.

Specifically, 172.0.x.x will conflict with REAL Internet addresses (about 16,000 of them).

RFC1918 spells out the valid ranges of IP addresses RESERVED for local use.

You're probably already familiar with the most common one:
 - This is actually 256 Class C networks (networks with a 24-bit netmask), all of whom are deemed to be LOCAL addresses (Internet routers are prohibited from processing them)
 - Most consumer LAN devices come pre-configured on one of these addresses -- like a router whose default IP address is
 - NOTE: It is a common misconception that the 3rd byte cannot be 255 -- that is incorrect. The 3rd value may be any number (from 0-255).

The next most common one in use is:
 - This is actually one Class A network (networks with an 8-bit netmask)
 - It is common "in the field" to use subnetting -- most often creating a LAN or something similar... this is perfectly legal and compliant!

The least most common one in use is:
 - This is actually 16 Class B networks (networks with a 16-bit netmask)

The last one appears to be the one you were shooting for, but missed... the 2nd byte of the LAN address that starts with 172 MUST be in the range of 16-31 to be compliant (and thus not conflict with REAL Internet IP addresses).

I know this isn't the question asked, but it has the potential to be a VERY difficult issue to diagnose later on down the line when you can't figure out why certain web pages won't load!

I'll address the NAT Firewall (and iptables) in a post in a few minutes...


Author Comment

ID: 37732926
ahoffman: sorry, its only 172.0.2.x. i got lazy when typing the rest since i was on my mobile.

it4soho: i can change the ip scheme. but these machines will already be behind my current network that is already behind my main firewall. they will very rarely need to access the internet. but i can change to make sure its compliant.

 I'm trying to create another environment for my developers so they can test code, updates, etc. however i dont want users to be able to hit any port. i want it to be behind another firewall where i can control what ports go in and out. Right now they want two environments. staging and integration. currently i am using VMWare's private vlan to create 2 vlan communities and 1 promiscuous vlan (that the 2 communities can see, but not each other). one community will be staging, the other integration. the second nic on the pfSense will be connected to the promiscuous vlan so that it can see both communities. the servers in both communities will have the pfSense as its gateway.

the first nic will be connected to my current main data network (192.168.x.x that is already working with NAT and my current firewall). the ip on that one right now is i want to be able to type in something like ssh root@ from my 192.168.x.x network and get to that server sitting behind the pfSense box. the only way i can get it to work currently is by putting in ssh root@ which pfSense then forwards to (like a normal NAT firewall. works great). i want to be able to put in the ip of the server behind the pfSense box at

i can change to 172.16.x.x no problem. but im not sure if what i want to do is possible.

i want to keep both sub networks separate as possible and only allow certain port in and out.

Author Closing Comment

ID: 37734897
Thank you. By changing the IP to 172.16.0.x the firewall let me do what i want. when you mentioned that routers cant pass the other ip scheme i had i got to looking an it is set not to pass those through.

thank you again for the info. I learned something new. probably something i should have known a long time ago though.

Featured Post

ATEN's HDBaseT Presentation at InfoComm 2017

Hear ATEN Product Manager YT Liang review HDBaseT technology, highlighting ATEN’s latest solutions as they relate to real-world applications during her presentation at the HDBaseT booth at InfoComm 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
In the hope of saving someone else's sanity... About a year ago we bought a Cisco 1921 router with two ADSL/VDSL EHWIC cards to load balance local network traffic over the two broadband lines we have, but we couldn't get the routing to work consi…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Suggested Courses

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question