PfSense: how to NAT and use LAN IPs to access services

I have a question that I'm not sure is possible. I have pfSense set up to where the WAN ip is an ip address on my main data network. The LAN ip on the second nic is a172.0.2.x ip. That network will be used as a staging and integration network that I would like to keep as seperate as possible. So I installed pfSense. My issue is that I want to be able to block all ports except for the ones i want to go to the 172.x.x.x network. However, i would like to be able to use the 172.x.x.x network ips to access ports for servers in that network. for example:

i might have 2 servers, lets say and one i want to ssh to and the other i want to open a web port and access from my 192.168.x.x network. so ill be on a machine with an ip of lets say and i want to ssh using putty to currently i have to use the ip of the WAN nic and it will NAT port 22 to

is it possible to just use the 172.x.x.x ips? i can add a route that will route all 172.x.x.x traffic to the WAN ip of the nic on the pfSense machine.

the pfSense machine is on a vmware esxi host with 2 nics.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

1. 172.0.2.x is LAN, right?
2. 172.x.x.x is WAN. right?
3. where is 192.168.x.x?
Daniel McAllisterPresident, IT4SOHO, LLCCommented:
I'll talk about NATing in a moment... FIRST, I want to talk about your choice of a LAN address.

Specifically, 172.0.x.x will conflict with REAL Internet addresses (about 16,000 of them).

RFC1918 spells out the valid ranges of IP addresses RESERVED for local use.

You're probably already familiar with the most common one:
 - This is actually 256 Class C networks (networks with a 24-bit netmask), all of whom are deemed to be LOCAL addresses (Internet routers are prohibited from processing them)
 - Most consumer LAN devices come pre-configured on one of these addresses -- like a router whose default IP address is
 - NOTE: It is a common misconception that the 3rd byte cannot be 255 -- that is incorrect. The 3rd value may be any number (from 0-255).

The next most common one in use is:
 - This is actually one Class A network (networks with an 8-bit netmask)
 - It is common "in the field" to use subnetting -- most often creating a LAN or something similar... this is perfectly legal and compliant!

The least most common one in use is:
 - This is actually 16 Class B networks (networks with a 16-bit netmask)

The last one appears to be the one you were shooting for, but missed... the 2nd byte of the LAN address that starts with 172 MUST be in the range of 16-31 to be compliant (and thus not conflict with REAL Internet IP addresses).

I know this isn't the question asked, but it has the potential to be a VERY difficult issue to diagnose later on down the line when you can't figure out why certain web pages won't load!

I'll address the NAT Firewall (and iptables) in a post in a few minutes...


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
msidnamAuthor Commented:
ahoffman: sorry, its only 172.0.2.x. i got lazy when typing the rest since i was on my mobile.

it4soho: i can change the ip scheme. but these machines will already be behind my current network that is already behind my main firewall. they will very rarely need to access the internet. but i can change to make sure its compliant.

 I'm trying to create another environment for my developers so they can test code, updates, etc. however i dont want users to be able to hit any port. i want it to be behind another firewall where i can control what ports go in and out. Right now they want two environments. staging and integration. currently i am using VMWare's private vlan to create 2 vlan communities and 1 promiscuous vlan (that the 2 communities can see, but not each other). one community will be staging, the other integration. the second nic on the pfSense will be connected to the promiscuous vlan so that it can see both communities. the servers in both communities will have the pfSense as its gateway.

the first nic will be connected to my current main data network (192.168.x.x that is already working with NAT and my current firewall). the ip on that one right now is i want to be able to type in something like ssh root@ from my 192.168.x.x network and get to that server sitting behind the pfSense box. the only way i can get it to work currently is by putting in ssh root@ which pfSense then forwards to (like a normal NAT firewall. works great). i want to be able to put in the ip of the server behind the pfSense box at

i can change to 172.16.x.x no problem. but im not sure if what i want to do is possible.

i want to keep both sub networks separate as possible and only allow certain port in and out.
msidnamAuthor Commented:
Thank you. By changing the IP to 172.16.0.x the firewall let me do what i want. when you mentioned that routers cant pass the other ip scheme i had i got to looking an it is set not to pass those through.

thank you again for the info. I learned something new. probably something i should have known a long time ago though.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux Networking

From novice to tech pro — start learning today.