PfSense: how to NAT and use LAN IPs to access services

Posted on 2012-03-16
Last Modified: 2012-03-18
I have a question that I'm not sure is possible. I have pfSense set up to where the WAN ip is an ip address on my main data network. The LAN ip on the second nic is a172.0.2.x ip. That network will be used as a staging and integration network that I would like to keep as seperate as possible. So I installed pfSense. My issue is that I want to be able to block all ports except for the ones i want to go to the 172.x.x.x network. However, i would like to be able to use the 172.x.x.x network ips to access ports for servers in that network. for example:

i might have 2 servers, lets say and one i want to ssh to and the other i want to open a web port and access from my 192.168.x.x network. so ill be on a machine with an ip of lets say and i want to ssh using putty to currently i have to use the ip of the WAN nic and it will NAT port 22 to

is it possible to just use the 172.x.x.x ips? i can add a route that will route all 172.x.x.x traffic to the WAN ip of the nic on the pfSense machine.

the pfSense machine is on a vmware esxi host with 2 nics.
Question by:msidnam
  • 2
LVL 51

Expert Comment

ID: 37732709
1. 172.0.2.x is LAN, right?
2. 172.x.x.x is WAN. right?
3. where is 192.168.x.x?
LVL 20

Accepted Solution

Daniel McAllister earned 500 total points
ID: 37732899
I'll talk about NATing in a moment... FIRST, I want to talk about your choice of a LAN address.

Specifically, 172.0.x.x will conflict with REAL Internet addresses (about 16,000 of them).

RFC1918 spells out the valid ranges of IP addresses RESERVED for local use.

You're probably already familiar with the most common one:
 - This is actually 256 Class C networks (networks with a 24-bit netmask), all of whom are deemed to be LOCAL addresses (Internet routers are prohibited from processing them)
 - Most consumer LAN devices come pre-configured on one of these addresses -- like a router whose default IP address is
 - NOTE: It is a common misconception that the 3rd byte cannot be 255 -- that is incorrect. The 3rd value may be any number (from 0-255).

The next most common one in use is:
 - This is actually one Class A network (networks with an 8-bit netmask)
 - It is common "in the field" to use subnetting -- most often creating a LAN or something similar... this is perfectly legal and compliant!

The least most common one in use is:
 - This is actually 16 Class B networks (networks with a 16-bit netmask)

The last one appears to be the one you were shooting for, but missed... the 2nd byte of the LAN address that starts with 172 MUST be in the range of 16-31 to be compliant (and thus not conflict with REAL Internet IP addresses).

I know this isn't the question asked, but it has the potential to be a VERY difficult issue to diagnose later on down the line when you can't figure out why certain web pages won't load!

I'll address the NAT Firewall (and iptables) in a post in a few minutes...


Author Comment

ID: 37732926
ahoffman: sorry, its only 172.0.2.x. i got lazy when typing the rest since i was on my mobile.

it4soho: i can change the ip scheme. but these machines will already be behind my current network that is already behind my main firewall. they will very rarely need to access the internet. but i can change to make sure its compliant.

 I'm trying to create another environment for my developers so they can test code, updates, etc. however i dont want users to be able to hit any port. i want it to be behind another firewall where i can control what ports go in and out. Right now they want two environments. staging and integration. currently i am using VMWare's private vlan to create 2 vlan communities and 1 promiscuous vlan (that the 2 communities can see, but not each other). one community will be staging, the other integration. the second nic on the pfSense will be connected to the promiscuous vlan so that it can see both communities. the servers in both communities will have the pfSense as its gateway.

the first nic will be connected to my current main data network (192.168.x.x that is already working with NAT and my current firewall). the ip on that one right now is i want to be able to type in something like ssh root@ from my 192.168.x.x network and get to that server sitting behind the pfSense box. the only way i can get it to work currently is by putting in ssh root@ which pfSense then forwards to (like a normal NAT firewall. works great). i want to be able to put in the ip of the server behind the pfSense box at

i can change to 172.16.x.x no problem. but im not sure if what i want to do is possible.

i want to keep both sub networks separate as possible and only allow certain port in and out.

Author Closing Comment

ID: 37734897
Thank you. By changing the IP to 172.16.0.x the firewall let me do what i want. when you mentioned that routers cant pass the other ip scheme i had i got to looking an it is set not to pass those through.

thank you again for the info. I learned something new. probably something i should have known a long time ago though.

Featured Post

Easy, flexible multimedia distribution & control

Coming soon!  Ideal for large-scale A/V applications, ATEN's VM3200 Modular Matrix Switch is an all-in-one solution that simplifies video wall integration. Easily customize display layouts to see what you want, how you want it in 4k.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
How to choose hardware firewall 5 62
Classlful vs Classless subneting 18 73
ifconfig 4 72
ASA 5505 not passing traffic to Netgear router 22 51
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question