[pfSense Support] NAT and Bridge on the same box

[Curtis LaMasters]

I have a need to provide NAT for the majority of our services and also
assign public IP's to our customers.  My question is, can I do
bridging and NAT on the same server?  I.E. can I have my WAN interface
with all it's virtual IP's continue to map to my internal VLAN's and
then have a seperate VLAN(s) bridge and be able to deliver public IP's
to those customers?

Is it as simple as setting the bridge with WAN on that interface and
then assigning IP's?  Sorry if this has been covered in the past.

Curtis LaMasters
http://www.curtis-lamasters.com
http://www.builtnetworks.com

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

Re: [pfSense Support] NAT and Bridge on the same box

[Gary Buckmaster]

Curtis,

Should work.  That kind of setup definitely works on physical NICS (DMZ 
bridged to WAN, LAN NAT'd to WAN).  I can't think of any reason why it 
would cause issues on VLANs.  Probably worth setting up a test scenario 
in ESXi first to make sure.


-Gary

Curtis LaMasters wrote:

I have a need to provide NAT for the majority of our services and also
assign public IP's to our customers.  My question is, can I do
bridging and NAT on the same server?  I.E. can I have my WAN interface
with all it's virtual IP's continue to map to my internal VLAN's and
then have a seperate VLAN(s) bridge and be able to deliver public IP's
to those customers?

Is it as simple as setting the bridge with WAN on that interface and
then assigning IP's?  Sorry if this has been covered in the past.

Curtis LaMasters
http://www.curtis-lamasters.com
http://www.builtnetworks.com

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

  



-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org

RE: [pfSense Support] NAT and Bridge on the same box

[Nathan Eisenberg]

There's a number of ways to do this.

The right way is to have a separate network between your router and firewall, 
and then have the routes for your production network in your router.  IE:

Router--Firewall--Server
1.1.1.2/31  1.1.1.3/31 5.0.0.2/24
5.0.0.1/24

The Router's routing table would look like this:
Destination Netmask Gateway
5.0.0.0 255.255.255.0   1.1.1.3

This, of course, eliminates the need to NAT anything.

Another way of doing this is to use 1:1 NAT and put the public IPs on loopback 
adapters on the servers.  This is ugly, but it works.

IE:

RouterFirewallServer
5.0.0.1/24  5.0.0.2/24 192.168.1.2/24
192.168.1.1/24 5.0.0.3/32 (255.255.255.255)

The server needs to have IP forwarding turned on, and the firewall needs a 
proxy ARP IP for 5.0.0.3.  You also want to create static routes on the 
firewall's internal interface that look like this:

Destination Netmask Gateway
5.0.0.3 255.255.255.255 192.168.1.2

This means that internal traffic that tries to get 'out' to the public IP of 
the server will be routed to the private IP of the server - which will then 
forward it to the loopback interface.  Note that you'll also have to put some 
special firewall rules on the WAN interface to allow traffic from 192.168.1.2 
to get to 5.0.0.3 through it.

Best Regards,
Nathan Eisenberg
Sr. Systems Administrator - Atlas Networks, LLC
office: 206.577.3078 | suncadia: 206.210.5450
www.atlasnetworks.us | www.suncadianet.com


-Original Message-
From: Curtis LaMasters [mailto:curtislamast...@gmail.com] 
Sent: Monday, September 28, 2009 1:02 PM
To: support@pfsense.com
Subject: [pfSense Support] NAT and Bridge on the same box

I have a need to provide NAT for the majority of our services and also
assign public IP's to our customers.  My question is, can I do
bridging and NAT on the same server?  I.E. can I have my WAN interface
with all it's virtual IP's continue to map to my internal VLAN's and
then have a seperate VLAN(s) bridge and be able to deliver public IP's
to those customers?

Is it as simple as setting the bridge with WAN on that interface and
then assigning IP's?  Sorry if this has been covered in the past.

Curtis LaMasters
http://www.curtis-lamasters.com
http://www.builtnetworks.com

-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org






-
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com

Commercial support available - https://portal.pfsense.org