Nat/port forwarding: big help pls
-
sorry for my bad english
i try pfsense, setup and configure for my network (i use other fw/nat software but not to be glad)
my network schema
my local network ip range 10.6.3.0 255.255.255.0
my public ip range 212.175.221.0 255.255.255.0 (???)my inside 2 dns server (1 for inside, 1 for outside), 4 web server, 3 mail server, 1 ftp server, 2 live broadcast server and 150 user
all local gw 10.6.3.5 subnet 255.255.255.0 (this pfsense address)
pfsense address:
local: 10.6.3.5 subnet 255.255.255.0
public: 212.175.221.5 subnet 255.255.255.0 gw: 212.175.221.1 subnet 255.255.255.0all local net config have
gw: 10.6.3.5
dns: 10.6.3.10 (except ext. dns server)i request
dns server ip addresses:
for locals:
10.6.3.10 subnet 255.255.255.0 gw: 10.6.3.5 dns: 10.6.3.8
for public (all outside dns request goto this server):
10.6.3.8 subnet 255.255.255.0 gw: 10.6.3.5 dns: 1.2.3.4
outside (with nat) 212.175.221.10 subnet 255.255.255.0web servers ip addresses
local 10.6.30.50/51/52/53 subnet 255.255.255.0 gw: 10.6.3.5
outside (with nat) 212.175.221.50/51/52/53 subnet 255.255.255.0mail servers ip addresses
local 10.6.3.60/61/62 subnet 255.255.255.0 gw: 10.6.3.5
outside (with nat) 212.175.221.60/61/62 subnet 255.255.255.0live server ip addresses
local 10.6.3.70/71 subnet 255.255.255.0 gw: 10.6.3.5
outside (with nat) 212.175.221.70/71 subnet 255.255.255.0ftp server ip addresses:
local 10.6.3.80 subnet 255.255.255.0 gw: 10.6.3.5
outside (with nat) 212.175.221.80 subnet 255.255.255.0and other 100 users (with dhcp)
ip range 10.6.3.100-10.6.3.250 subnet 255.255.255.0 gw: 10.6.3.5 dns: 10.6.3.10
outside (with nat) 212.175.221.100-250 subnet 255.255.255.0how to make this?
or pfsense not make this?
if make pfsense, please detailed help me. :|
-
Ok, some basic steps to make this work(you have to do these steps for every single Service/Server you want to set up):
-
add virtual IPs at Firewall>Virtual IPs for all additional public IP's you want to handle by the pfSense for the different Servers. I suggest using CARP (this way you can upgrade your setup later easily with a failoversystem): For example for your first webserver 212.175.221.50/24 (use unique vhids for each IP and set some password; password is only needed to communicate with 2nd machine)
-
add 1:1 NATs at Firewall>NAT, 1:1 NAT tab to associate each external IP with an internal IP: for your first webserver map public IP 212.175.221.50/32 to 10.6.30.50/32
-
add firewallrules at Firewall>Rules, WAN tab, to allow traffic from source any, sourceport any, destination <internal server="" ip="">, destination port <service port,="" e.g.="" smtp,="" http,…="">: For your first webserver Interface WAN, protocol tcp, source any port any, destination 10.6.30.50 port 80
Do this for all of your IPs and Services and you are set.</service></internal>
-
-
- add virtual IPs at Firewall>Virtual IPs for all additional public IP's you want to handle by the pfSense for the different Servers. I suggest using CARP (this way you can upgrade your setup later easily with a failoversystem): For example for your first webserver 212.175.221.50/24 (use unique vhids for each IP and set some password; password is only needed to communicate with 2nd machine)
all public addresses? 212.175.221.1 to 255 and subnet 24?
- add 1:1 NATs at Firewall>NAT, 1:1 NAT tab to associate each external IP with an internal IP: for your first webserver map public IP 212.175.221.50/32 to 10.6.30.50/32
this 1:1 nat only servers or all locals?
- add firewallrules at Firewall>Rules, WAN tab, to allow traffic from source any, sourceport any, destination <internal server="" ip="">, destination port <service port,="" e.g.="" smtp,="" http,…="">: For your first webserver Interface WAN, protocol tcp, source any port any, destination 10.6.30.50 port 80</service></internal>
used only rules for servers? (port forwarding not used? why?)
sorry. i'm stupid.
-
All public IPs you want external clients to be able to connect to. In case you use VIP type CARP you have to use the real subnetmask of the interface the CARP IPs live on.
You only need the 1:1 NAT for the mapping of internal IPs to the external IPs you have created. Every other internal IP not mentioned here will use the default NAT mapping which translates the internal IPs to the real WAN interface IP (unless you use advanced outbound NAT).
1:1 NAT works in and out, that's why you don't need portforwards for this. It's a combination of portforward and advanced outbound NAT and takes care that a server will use the assigned public IP when talking to the outside world. This is important if you offer services that initiate a new connection from the server to the client back like ftp does for example. For a simple HTTP Webserver where the connection is established from the outside and answered on the same connection a simple portforward in combination with the appropriate firewallrule would do.
-
ok, i (think) understand.
i try your description.
subnet 24/32 not simple.
how this..
what is vip type carp?
-
It's just a technique pfSense supports to handle multiple IPs at one physical interface.
-
i think understand.
i want to make, every single clients (except servers) use different real IP's. (range 100-250)
how to make this?
-
Use subnetmasks other than /32 for the 1:1 NAT. If calculating this correctly you can handle this with a few rules only.
-
ok i now try
and ..
-
not ok
step 1:
system/advanced:
Enable filtering bridge: checked
Disable NAT Reflection: uncheckedinterfaces/wan:
ip: 212.175.221.5/24
gw: 212.175.221.1
Disable the userland FTP-Proxy application: uncheckedinterfaces/lan:
Disable the userland FTP-Proxy application: unchecked
ip: 10.6.3.5/24step 2:
firewall/aliases:
name: dnsserver1
type: network
ip: 10.6.3.8/32
name: webserver1
type: network
ip: 10.6.3.51/32
name: ftpserver1
type: network
ip: 10.6.3.81/32
name: mailserver1
type: network
ip: 10.6.3.61/32step 3:
firewall/virtual ip:
carp 212.175.221.6/24 to 254/24 and vhid 6 to 254 (all ip and vhid different)
(for every ip, not simple, edit config xml)step 4:
firewall/nat/1:1
if: WAN
ext ip: 212.175.22.10/32 (dns)
int ip: 10.6.3.8/32 (dns)
ext ip: 212.175.221.51/32 (web)
int ip: 10.6.3.51/32
ext ip: 212.175.221.61/32 (mail)
int ip: 10.6.3.61/32
ext ip: 212.175.221.81/32 (ftp)
int ip: 10.6.3.81step 5:
firewall/rules/wan
proto: for dns:tcp-udp / for web:tcp / for ftp:tcp / for mail:tcp
source: *
port: *
dest type: single host or alias selected
dest addr: dnsserver1 / webserver1 / ftpserver1 / mailserver1
port: 53 (dns) / 80 (http) / 21 (ftp) / 25-110 (smtp-pop3)
gw: *step 6:
firewall/rules/lan
proto: for dns:tcp/udp / - / - / for mail: tcp
source type: single host or alias selected
source addr: dnsserver1 / (webserver1 and ftpserver1 not ruled) / mailserver1
port: *
dest: *
port: 53 (dns) / - / - / 25-110 (smtp-pop3)
gw: *step 7:
firewall/rules/outbound
Enable advanced outbound NAT (checked and saved)
if: wan
source type: network
source addr: 10.6.3.0/24
destination: (all default)
translation: interface address (others default)and
1 dns server configured (as like upper)
1 web server configured (as like upper)
1 mail server configured (as like upper)
1 ftp server configured (as like upper)( all gw: 10.6.3.5, all dns: 10.6.3.8 )
now
dns server is running,
web server is running,
mail server is running,
ftp server is running,but
1. restart time >5min (waiting carp interfaces), why?
(1G ram, p2 dual 400mhz, 4gb scsi hd with adaptec 7880 scsi card 40000 MB/s)2. dns server resolving addrresses, but very slow
3. world to web server connection established, but all connection very very slow
4. mail server to world ok, world to inside not connected
5. ftp connected but timed out
6. other clients not nat'ed (not different public ip, used wan ip).
where is wrong?
pls step by step help..
-
Thats awfully demanding for free support… step by step? why?
-
i really try for run pfsense…
step by step
for
which my step wrong
-
thnx for all :|