• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

1:1 NAT + Alias

Scheduled Pinned Locked Moved NAT
8 Posts 3 Posters 5.0k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • I Offline
    IanSVT
    last edited by Feb 7, 2007, 4:10 PM

    Hello,

    I have an OpenBSD 4.0 server running PF.  I have a web server on the internal LAN.  To be able to pull http traffic from the outside, I set up an alias to a public IP on the "external" network interface.  I then put a binat rule along with a filter pass through rule into pf.conf.

    I'm trying to duplicate this with pfsense.  So I created an alias of type host, with let's say a public IP of 144.155.166.177.  I then create a 1:1 Nat rule on the WAN interface. For the external subnet, I make it the 144.155.166.177 aliased address and leave the mask at /32.  I enter 10.1.1.10 for the  internal subnet.  Just to be sure it's not a rule blocking it, I created a rule on the WAN interface tab which basically lets anything go.

    The problem is, I don't think the alias is being created correctly, or I screwed up the 1:1 nat.  The text of subnet in the 1:1 Nat tab threw me for a loop.  Why would I specify a subnet?  Aren't I just mapping an internal address to and external address(aliased)?

    1 Reply Last reply Reply Quote 0
    • H Offline
      hoba
      last edited by Feb 7, 2007, 4:15 PM

      You don't need an alias for this but a Virtual IP instead (Interfaces>Virtual IP). A VIP type proxyARP or CARP should do. The freebsd "Interface alias" is not supported in the 1.x branch of pfSense (but already present in HEAD).

      1 Reply Last reply Reply Quote 0
      • I Offline
        IanSVT
        last edited by Feb 7, 2007, 4:34 PM

        Cheers.

        Switching it to PARP doesn't seem to do the trick.  Although, I could be tripped up on the rules.  Do I need to make a rule under the LAN tab, or is a rule under the WAN tab adequate?

        1 Reply Last reply Reply Quote 0
        • H Offline
          hoba
          last edited by Feb 7, 2007, 6:58 PM

          • Create VIP
          • Add a 1:1 NAT to it
          • create firewallrules at interfaces WAN for traffic to pass (usually from source any to destination internal IP of 1:1 target, protocol and port as desired)

          If it doesn't work make sure some an old ARP cache of the router/device in front of you does not play tricks on you. Powercycle this device to make sure. If that doesn't help try a CARP VIP.

          1 Reply Last reply Reply Quote 0
          • I Offline
            IanSVT
            last edited by Feb 7, 2007, 7:18 PM

            CARP seems to have done the trick.  Cheers.

            1 Reply Last reply Reply Quote 0
            • I Offline
              IanSVT
              last edited by Feb 7, 2007, 7:36 PM Feb 7, 2007, 7:28 PM

              Spoke too soon.  That got the IP to listen(I can ping it), but it seems like the NAT isn't working correctly.  The NAT page doesn't make sense to me.  Why am I putting in a subnet?  Wouldn't I be putting in the external IP and the internal IP?  Should I keep the netmask at /32 for single IP translations?

              I can't add 144.155.166.177 with a /26 netmask.  When I select /32, it forces the internal IP to be 10.1.1.60/32 when it's an 8 bit netmask(255.0.0.0).

              EDIT:  Never mind, dumb move on my part.  The webserver I was trying to access didn't have apache running.  It was unloaded.  Moral of the story, make sure all your own stuff is working first!!

              1 Reply Last reply Reply Quote 0
              • D Offline
                davidemiccone
                last edited by Mar 24, 2007, 1:23 PM

                @hoba:

                You don't need an alias for this but a Virtual IP instead (Interfaces>Virtual IP). A VIP type proxyARP or CARP should do. The freebsd "Interface alias" is not supported in the 1.x branch of pfSense (but already present in HEAD).

                Untile next major release, please which is the best place to set wan interface alias?

                I read several post in the forum and the best solutions seem to be http://forum.pfsense.org/index.php/topic,223.0.html

                Do you agree? Have you some better solution to conseil?

                Any conseil will be appreciated.

                Davide.

                1 Reply Last reply Reply Quote 0
                • H Offline
                  hoba
                  last edited by Mar 24, 2007, 5:56 PM

                  If you want to have these changes backed up in your config run them by using hidden config.xml commands (see http://faq.pfsense.org/index.php?action=artikel&cat=10&id=38&artlang=en ).

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                    This community forum collects and processes your personal information.
                    consent.not_received