PfSense: how to NAT and use LAN IPs to access services
I have a question that I'm not sure is possible. I have pfSense set up to where the WAN ip is an ip address on my main data network. The LAN ip on the second nic is a172.0.2.x ip. That network will be used as a staging and integration network that I would like to keep as seperate as possible. So I installed pfSense. My issue is that I want to be able to block all ports except for the ones i want to go to the 172.x.x.x network. However, i would like to be able to use the 172.x.x.x network ips to access ports for servers in that network. for example:
i might have 2 servers, lets say 172.0.2.2 and 172.0.2.3 one i want to ssh to and the other i want to open a web port and access from my 192.168.x.x network. so ill be on a machine with an ip of lets say 192.168.0.181 and i want to ssh using putty to 172.0.2.2. currently i have to use the ip of the WAN nic and it will NAT port 22 to 172.0.2.2.
is it possible to just use the 172.x.x.x ips? i can add a route that will route all 172.x.x.x traffic to the WAN ip of the nic on the pfSense machine.
the pfSense machine is on a vmware esxi host with 2 nics.
i might have 2 servers, lets say 172.0.2.2 and 172.0.2.3 one i want to ssh to and the other i want to open a web port and access from my 192.168.x.x network. so ill be on a machine with an ip of lets say 192.168.0.181 and i want to ssh using putty to 172.0.2.2. currently i have to use the ip of the WAN nic and it will NAT port 22 to 172.0.2.2.
is it possible to just use the 172.x.x.x ips? i can add a route that will route all 172.x.x.x traffic to the WAN ip of the nic on the pfSense machine.
the pfSense machine is on a vmware esxi host with 2 nics.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
ahoffman: sorry, its only 172.0.2.x. i got lazy when typing the rest since i was on my mobile.
it4soho: i can change the ip scheme. but these machines will already be behind my current network that is already behind my main firewall. they will very rarely need to access the internet. but i can change to make sure its compliant.
I'm trying to create another environment for my developers so they can test code, updates, etc. however i dont want users to be able to hit any port. i want it to be behind another firewall where i can control what ports go in and out. Right now they want two environments. staging and integration. currently i am using VMWare's private vlan to create 2 vlan communities and 1 promiscuous vlan (that the 2 communities can see, but not each other). one community will be staging, the other integration. the second nic on the pfSense will be connected to the promiscuous vlan so that it can see both communities. the servers in both communities will have the pfSense as its gateway.
the first nic will be connected to my current main data network (192.168.x.x that is already working with NAT and my current firewall). the ip on that one right now is 192.168.1.172. i want to be able to type in something like ssh root@172.0.2.2 from my 192.168.x.x network and get to that server sitting behind the pfSense box. the only way i can get it to work currently is by putting in ssh root@192.168.1.172 which pfSense then forwards to 172.0.2.2 (like a normal NAT firewall. works great). i want to be able to put in the ip of the server behind the pfSense box at 172.0.2.2.
i can change to 172.16.x.x no problem. but im not sure if what i want to do is possible.
i want to keep both sub networks separate as possible and only allow certain port in and out.
it4soho: i can change the ip scheme. but these machines will already be behind my current network that is already behind my main firewall. they will very rarely need to access the internet. but i can change to make sure its compliant.
I'm trying to create another environment for my developers so they can test code, updates, etc. however i dont want users to be able to hit any port. i want it to be behind another firewall where i can control what ports go in and out. Right now they want two environments. staging and integration. currently i am using VMWare's private vlan to create 2 vlan communities and 1 promiscuous vlan (that the 2 communities can see, but not each other). one community will be staging, the other integration. the second nic on the pfSense will be connected to the promiscuous vlan so that it can see both communities. the servers in both communities will have the pfSense as its gateway.
the first nic will be connected to my current main data network (192.168.x.x that is already working with NAT and my current firewall). the ip on that one right now is 192.168.1.172. i want to be able to type in something like ssh root@172.0.2.2 from my 192.168.x.x network and get to that server sitting behind the pfSense box. the only way i can get it to work currently is by putting in ssh root@192.168.1.172 which pfSense then forwards to 172.0.2.2 (like a normal NAT firewall. works great). i want to be able to put in the ip of the server behind the pfSense box at 172.0.2.2.
i can change to 172.16.x.x no problem. but im not sure if what i want to do is possible.
i want to keep both sub networks separate as possible and only allow certain port in and out.
ASKER
Thank you. By changing the IP to 172.16.0.x the firewall let me do what i want. when you mentioned that routers cant pass the other ip scheme i had i got to looking an it is set not to pass those through.
thank you again for the info. I learned something new. probably something i should have known a long time ago though.
thank you again for the info. I learned something new. probably something i should have known a long time ago though.
2. 172.x.x.x is WAN. right?
3. where is 192.168.x.x?