Solved

PfSense: how to NAT and use LAN IPs to access services

Posted on 2012-03-16
4
939 Views
Last Modified: 2012-03-18
I have a question that I'm not sure is possible. I have pfSense set up to where the WAN ip is an ip address on my main data network. The LAN ip on the second nic is a172.0.2.x ip. That network will be used as a staging and integration network that I would like to keep as seperate as possible. So I installed pfSense. My issue is that I want to be able to block all ports except for the ones i want to go to the 172.x.x.x network. However, i would like to be able to use the 172.x.x.x network ips to access ports for servers in that network. for example:

i might have 2 servers, lets say 172.0.2.2 and 172.0.2.3 one i want to ssh to and the other i want to open a web port and access from my 192.168.x.x network. so ill be on a machine with an ip of lets say 192.168.0.181 and i want to ssh using putty to 172.0.2.2. currently i have to use the ip of the WAN nic and it will NAT port 22 to 172.0.2.2.

is it possible to just use the 172.x.x.x ips? i can add a route that will route all 172.x.x.x traffic to the WAN ip of the nic on the pfSense machine.

the pfSense machine is on a vmware esxi host with 2 nics.
0
Comment
Question by:msidnam
  • 2
4 Comments
 
LVL 51

Expert Comment

by:ahoffmann
ID: 37732709
1. 172.0.2.x is LAN, right?
2. 172.x.x.x is WAN. right?
3. where is 192.168.x.x?
0
 
LVL 20

Accepted Solution

by:
Daniel McAllister earned 500 total points
ID: 37732899
I'll talk about NATing in a moment... FIRST, I want to talk about your choice of a LAN address.

Specifically, 172.0.x.x will conflict with REAL Internet addresses (about 16,000 of them).

RFC1918 spells out the valid ranges of IP addresses RESERVED for local use.

You're probably already familiar with the most common one:
192.168.0.0/16
 - This is actually 256 Class C networks (networks with a 24-bit netmask), all of whom are deemed to be LOCAL addresses (Internet routers are prohibited from processing them)
 - Most consumer LAN devices come pre-configured on one of these addresses -- like a router whose default IP address is 192.168.0.1
 - NOTE: It is a common misconception that the 3rd byte cannot be 255 -- that is incorrect. The 3rd value may be any number (from 0-255).

The next most common one in use is:
10.0.0.0/8
 - This is actually one Class A network (networks with an 8-bit netmask)
 - It is common "in the field" to use subnetting -- most often creating a 10.0.0.0/24 LAN or something similar... this is perfectly legal and compliant!

The least most common one in use is:
172.16-31.0.0/12
 - This is actually 16 Class B networks (networks with a 16-bit netmask)

The last one appears to be the one you were shooting for, but missed... the 2nd byte of the LAN address that starts with 172 MUST be in the range of 16-31 to be compliant (and thus not conflict with REAL Internet IP addresses).

I know this isn't the question asked, but it has the potential to be a VERY difficult issue to diagnose later on down the line when you can't figure out why certain web pages won't load!

I'll address the NAT Firewall (and iptables) in a post in a few minutes...

Dan
0
 
LVL 2

Author Comment

by:msidnam
ID: 37732926
ahoffman: sorry, its only 172.0.2.x. i got lazy when typing the rest since i was on my mobile.

it4soho: i can change the ip scheme. but these machines will already be behind my current network that is already behind my main firewall. they will very rarely need to access the internet. but i can change to make sure its compliant.

 I'm trying to create another environment for my developers so they can test code, updates, etc. however i dont want users to be able to hit any port. i want it to be behind another firewall where i can control what ports go in and out. Right now they want two environments. staging and integration. currently i am using VMWare's private vlan to create 2 vlan communities and 1 promiscuous vlan (that the 2 communities can see, but not each other). one community will be staging, the other integration. the second nic on the pfSense will be connected to the promiscuous vlan so that it can see both communities. the servers in both communities will have the pfSense as its gateway.

the first nic will be connected to my current main data network (192.168.x.x that is already working with NAT and my current firewall). the ip on that one right now is 192.168.1.172. i want to be able to type in something like ssh root@172.0.2.2 from my 192.168.x.x network and get to that server sitting behind the pfSense box. the only way i can get it to work currently is by putting in ssh root@192.168.1.172 which pfSense then forwards to 172.0.2.2 (like a normal NAT firewall. works great). i want to be able to put in the ip of the server behind the pfSense box at 172.0.2.2.

i can change to 172.16.x.x no problem. but im not sure if what i want to do is possible.

i want to keep both sub networks separate as possible and only allow certain port in and out.
0
 
LVL 2

Author Closing Comment

by:msidnam
ID: 37734897
Thank you. By changing the IP to 172.16.0.x the firewall let me do what i want. when you mentioned that routers cant pass the other ip scheme i had i got to looking an it is set not to pass those through.

thank you again for the info. I learned something new. probably something i should have known a long time ago though.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Hello , This is a short article on how would you go about enabling traceoptions on a Juniper router . Traceoptions are similar to Cisco debug commands but these traceoptions are implemented in Juniper networks router . The following demonstr…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now