Nat/port forwarding: big help pls
-
All public IPs you want external clients to be able to connect to. In case you use VIP type CARP you have to use the real subnetmask of the interface the CARP IPs live on.
You only need the 1:1 NAT for the mapping of internal IPs to the external IPs you have created. Every other internal IP not mentioned here will use the default NAT mapping which translates the internal IPs to the real WAN interface IP (unless you use advanced outbound NAT).
1:1 NAT works in and out, that's why you don't need portforwards for this. It's a combination of portforward and advanced outbound NAT and takes care that a server will use the assigned public IP when talking to the outside world. This is important if you offer services that initiate a new connection from the server to the client back like ftp does for example. For a simple HTTP Webserver where the connection is established from the outside and answered on the same connection a simple portforward in combination with the appropriate firewallrule would do.
-
ok, i (think) understand.
i try your description.
subnet 24/32 not simple.
how this..
what is vip type carp?
-
It's just a technique pfSense supports to handle multiple IPs at one physical interface.
-
i think understand.
i want to make, every single clients (except servers) use different real IP's. (range 100-250)
how to make this?
-
Use subnetmasks other than /32 for the 1:1 NAT. If calculating this correctly you can handle this with a few rules only.
-
ok i now try
and ..
-
not ok
step 1:
system/advanced:
Enable filtering bridge: checked
Disable NAT Reflection: uncheckedinterfaces/wan:
ip: 212.175.221.5/24
gw: 212.175.221.1
Disable the userland FTP-Proxy application: uncheckedinterfaces/lan:
Disable the userland FTP-Proxy application: unchecked
ip: 10.6.3.5/24step 2:
firewall/aliases:
name: dnsserver1
type: network
ip: 10.6.3.8/32
name: webserver1
type: network
ip: 10.6.3.51/32
name: ftpserver1
type: network
ip: 10.6.3.81/32
name: mailserver1
type: network
ip: 10.6.3.61/32step 3:
firewall/virtual ip:
carp 212.175.221.6/24 to 254/24 and vhid 6 to 254 (all ip and vhid different)
(for every ip, not simple, edit config xml)step 4:
firewall/nat/1:1
if: WAN
ext ip: 212.175.22.10/32 (dns)
int ip: 10.6.3.8/32 (dns)
ext ip: 212.175.221.51/32 (web)
int ip: 10.6.3.51/32
ext ip: 212.175.221.61/32 (mail)
int ip: 10.6.3.61/32
ext ip: 212.175.221.81/32 (ftp)
int ip: 10.6.3.81step 5:
firewall/rules/wan
proto: for dns:tcp-udp / for web:tcp / for ftp:tcp / for mail:tcp
source: *
port: *
dest type: single host or alias selected
dest addr: dnsserver1 / webserver1 / ftpserver1 / mailserver1
port: 53 (dns) / 80 (http) / 21 (ftp) / 25-110 (smtp-pop3)
gw: *step 6:
firewall/rules/lan
proto: for dns:tcp/udp / - / - / for mail: tcp
source type: single host or alias selected
source addr: dnsserver1 / (webserver1 and ftpserver1 not ruled) / mailserver1
port: *
dest: *
port: 53 (dns) / - / - / 25-110 (smtp-pop3)
gw: *step 7:
firewall/rules/outbound
Enable advanced outbound NAT (checked and saved)
if: wan
source type: network
source addr: 10.6.3.0/24
destination: (all default)
translation: interface address (others default)and
1 dns server configured (as like upper)
1 web server configured (as like upper)
1 mail server configured (as like upper)
1 ftp server configured (as like upper)( all gw: 10.6.3.5, all dns: 10.6.3.8 )
now
dns server is running,
web server is running,
mail server is running,
ftp server is running,but
1. restart time >5min (waiting carp interfaces), why?
(1G ram, p2 dual 400mhz, 4gb scsi hd with adaptec 7880 scsi card 40000 MB/s)2. dns server resolving addrresses, but very slow
3. world to web server connection established, but all connection very very slow
4. mail server to world ok, world to inside not connected
5. ftp connected but timed out
6. other clients not nat'ed (not different public ip, used wan ip).
where is wrong?
pls step by step help..
-
Thats awfully demanding for free support… step by step? why?
-
i really try for run pfsense…
step by step
for
which my step wrong
-
thnx for all :|