[pfSense] question on NAT capabilities/methods and VPN setup

Joe Landman landman at scalableinformatics.com
Thu May 10 00:37:33 EDT 2012


Here's what we are trying to do .   I've got pfSense up and I've got 5 
WAN IP addresses in the WAN subnet.

	a.b.c.d
	a.b.c.d+1
	a.b.c.d+2
	a.b.c.d+3
	a.c.d.d+4

I would like to NAT by specific address, and add VPN functionality to 
only specific IPs.  So d is our primary for most traffic, d+1 should get 
OpenVPN traffic, d+2 to d+4 should NAT to specific machines.  A few 
ports on each are fine, though we could do a full on 1:1 NAT if needed.

My question is how, precisely to go about this.  That is, I have the 
major functions (ssh, web, mail) traversing the d address, and NATting 
to a specific set of machines handling those functions.  That works 
well.  How do I get the NATting working on the other IPs?  IP Aliasing 
the WAN address and then mapping to that alias?  I ask as I've tried 
quite a few things that seem sensible, and none of them work.

Now I want to set OpenVPN on d+1.  Should I IP Alias the d+1 and give it 
a name?  And while I am at it, is there a way to debug the OpenVPN 
setup?  I've set OpenVPN up many a time by hand, without problems.  My 
first attempts now ... I can't even get it to start negotiating. 
OpenVPN is quite finicky, but I think this is repeated pilot error on my 
part, and its mostly with the user interface.  Do I need to build the 
CA, then the server certs, then the user certs for this (this is what 
I've done).

I am assuming pfSense can handle what I want here, both on the NATting 
and OpenVPN side.  But I seem to be lost on this.  I've set up many such 
systems (using different appliances and software stacks) in the past ... 
not a complete noob ... but I did get stuck here.  Any hints are 
welcome, and I'm going to keep pouring over the book.

Thanks!

-- 
Joseph Landman, Ph.D
Founder and CEO
Scalable Informatics Inc.
email: landman at scalableinformatics.com
web  : http://scalableinformatics.com
        http://scalableinformatics.com/sicluster
phone: +1 734 786 8423 x121
fax  : +1 866 888 3112
cell : +1 734 612 4615



More information about the List mailing list