NATing for device without changing its IP?

backboardlikely · May 18, 2024, 11:03pm

I wanted to understand if its possible to set the WAN IP to match a device located on a LAN interface. This is simply to place a firewall in front of a single device (on a simple home network) for network auditing. There are no other devices behind the firewall.

I want to be able to do this "seamlessly" without changing the IP of the device. I understand I would have to add in portforwards for each port needed for access from WAN to the device.

Is this NAT config possible? Can I get some tips on how to do this correctly? primarily as it relates to routing.

I will need to then enable logging on the LAN interface for all traffic statefully originating from "LAN". So if that throws a wrench into the works, please let me know. I'm just starting to learn about iptables logging. I already have a syslog server that can receive logs from the FW, but haven't learned custom log rules yet.

TIA!

psherman · May 18, 2024, 11:55pm

No, this is not possible. Routing does not work when the upstream and downstream networks are the same or overlapping. They must be unique and non-overlapping.

eduperez · May 19, 2024, 8:37am

Perhaps what you need is to configure the device as a bridge, instead if a router. Or you can try with port mirroring on a switch.

backboardlikely · May 24, 2024, 7:16pm

I ended up just re-iping the device and moving its IP to the external WAN interface.