I think the “wiser” solution is to spin up another firewall for the shared services and give it all 4 IPs (.2-.5)
On Feb 22, 2014, at 2:55 PM, Brian Candler <b.cand...@pobox.com> wrote: > On 22/02/2014 20:43, Brian Candler wrote: >> >> And has been pointed out already, you definitely don't want your OPT1 IP >> address to be in the same range as either the LAN or WAN subnets. Each >> interface must be in a separate subnet. This is just how IP routing works. >> > What may have caused confusion is the "proxy ARP" magic which goes along with > NAT, if the NAT public address is on the same subnet as the firewall's WAN > interface. > > Let's say the pfsense firewall's WAN address is 192.0.2.1/29, and its LAN > address is 192.168.0.1/24. You have a VM connected to the firewall's LAN > interface on 192.168.0.2. > > You could then set up 1:1 NAT between 192.0.2.2 and 192.168.0.2. > > When an incoming packet arrives for 192.0.2.2, the firewall accepts the > packet on the WAN interface *as if it were for itself*. It then translates > the destination address to 192.168.0.2 and re-sends it out of the LAN > interface. > > You could then do the same thing to map 192.0.2.3 to a private address which > is on the OPT1 network if you wanted. That VM really exists on the OPT1 > network (say 192.168.1.5), but incoming traffic is addressed to a public IP > on the WAN side of the network. > > So you might be tempted to say that 192.0.2.3 is the public IP of "the OPT1 > network", but it isn't. It's a public IP on the WAN side, which gets > translated to some particular address on the OPT1 interface. > > Indeed, using port forwarding NAT, one address could be shared between > different VMs, which could be on different networks. You might for example > port-forward 192.0.2.3 port 80 to 192.168.1.5 on the OPT1 interface, and > forward 192.0.2.3 port 21 to 192.168.2.7 on the OPT2 interface. > > Hope this doesn't make it any more confusing :-) > > Regards, > > Brian. > _______________________________________________ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
