Netgate SG-1000 microFirewall

Author Topic: SOLVED - NAT 1:1 between VLANs over a Virtual IP  (Read 146 times)

0 Members and 1 Guest are viewing this topic.

Offline NekoSama

  • Newbie
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
SOLVED - NAT 1:1 between VLANs over a Virtual IP
« on: January 24, 2018, 08:25:59 am »
Hello Guys,
Im pretty new working with pfsense, and i have a very noob problem that i cant solve, so im here asking help to the smarter guys.
My problem is:
I have 2 vlans, lets call them vlan 1 and 2, and my PFsense has an interface in each VLAN. (graphic attach)
VLAN 2 has a server, and VLAN 1 has many PCs.
Every PC from vlan 1 has to have full access to that server.

For that reason I create a virtual IP in VLAN 1, and that VIP should redirect all the the trafic to the server in VLAN 2, so every PC in VLAN 1 interacts with the server like its real IP is the VIP.
I attached a pic to clarify a little more.

And here is where im stuck, i have read many posts but im not sure to do a NAT 1:1 or a forwarding, what rules to make, etc.

I hope i could explained my self and my english wasnt that bad.
Thx for your help.

EDIT: Pic added
« Last Edit: January 24, 2018, 01:49:08 pm by NekoSama »

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 15168
  • Karma: +1413/-206
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: NAT between VLAN over a Virtual IP
« Reply #1 on: January 24, 2018, 08:38:15 am »
Why would you do this?  Just allow the firewall rules to access what you want in the other vlan - there is no reason to nat between lan network.
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.2-RELEASE-p1 (work)
1x SG-4860 2.4.2-RELEASE-p1 (home)

Offline NekoSama

  • Newbie
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
Re: NAT between VLAN over a Virtual IP
« Reply #2 on: January 24, 2018, 08:57:28 am »
I think i cant do that.
VLAN 1 and VLAN 2 are in different subnets, and my pfsense is not the default GW in the PCs of VLAN 1.

My PC from VLAN 1 dont know how to reach the server, nor my default GW.

So I thought i could use a Virtual IP with in the reach of the VLAN 1 clients, and redirect the traffic to the server in VLAN 2.

Its possible or im complicating things?

PD. I added the graphic at the first post.

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 15168
  • Karma: +1413/-206
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: NAT between VLAN over a Virtual IP
« Reply #3 on: January 24, 2018, 09:17:25 am »
"pfsense is not the default GW in the PCs of VLAN 1."

Is pfsense the default gw for the server?  If so you would do a port forward picking your vip you created as dest.  If your servers gateway is not pfsense, then you would also have to do a outbound nat.

Or you could just create host routes on your PCs that say to get to vlan of the server talk to pfsense IP address in vlan 1.  Couple of different ways to skin that cat.
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.2-RELEASE-p1 (work)
1x SG-4860 2.4.2-RELEASE-p1 (home)

Offline NekoSama

  • Newbie
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
Re: NAT between VLAN over a Virtual IP
« Reply #4 on: January 24, 2018, 10:22:03 am »
Yep, i get your point and i have thought about that, but i got some limitation in what i can do in this lan.

The solution I told you, is it posible? I mean: use a Virtual IP that redirect the traffic to the server in vlan 2. Is that posible?

The idea is this: the PCs in VLAN 1 has a soft that needs to reach the server in VLAN 2, so if the VIP redirects the traffic to the server, I just have to put the Virtual IP in the soft. From soft perspective the server is in the same VLAN and subnet than the clients.

I want to tell the people "put this ip in the soft and it will reach the server", just using pfsense and without touching clients (PCs) or server.
Its possible or Im nuts?
Maybe im too newbie and what im saying its more magic than routing...

Thx for your patience in helping me with this.


Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9811
  • Karma: +1107/-311
    • View Profile
Re: NAT between VLAN over a Virtual IP
« Reply #5 on: January 24, 2018, 10:35:25 am »
Put a 1:1 NAT on the X.X.96.2 interface.

External IP: X.X.96.20
Internal IP: Single Host: X.X.28.3

Firewall rules on the X.X.96.2 interface need to pass desired traffic to the X.X.28.3 destination address.

X.X.28.3 needs to know to route traffic for X.X.96.0/24 back to pfSense. (Guessing on the subnet since it was unspecified.)

PCs use X.X.96.20 as the address of the server.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline NekoSama

  • Newbie
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
Re: NAT between VLAN over a Virtual IP
« Reply #6 on: January 24, 2018, 01:45:23 pm »
Thx Derelict, it worked like a charm.
I'm currently dealing with some problems with ports and protocols, but I think I can handle those.
Thx again for the help and patience.