Redirect SMTP and HTTP traffic with virtual IP from a specific source alone
-
You don't want to redirect it, you want to change your NAT, either so your mail server goes out a diff IP or the inside hosts do.
-
Hello Eugene,
I tried your steps, but it doesn't show the designated public IP when i verify it using myipaddress.com site.
Or maybe i did it wrongly, below is the rule i have added, please correct me if i am wrong.Added outgoing NAT rule like –>
ISP Name 172.17.0.0/16 * * * 58.x.x.x *Venkat
-
@cmb:
You don't want to redirect it, you want to change your NAT, either so your mail server goes out a diff IP or the inside hosts do.
Yes exactly, but how do i go about it.
-
can we see your pfctl -sn ?
this rule has to go before other rules with 172.17.0.0/16 as a source net. -
can we see your pfctl -sn ?
this rule has to go before other rules with 172.17.0.0/16 as a source net.Yes PFA
-
So 172.17.0.0/16 has to use 58.xxx public IP. Does it?
-
Is that IP starting with 58 a virtual IP on your WAN interface? Then you need to change the interface in your outbound NAT rule to WAN. Outbound NAT rules are matched with outgoing traffic on an interface, not incoming.
-
So 172.17.0.0/16 has to use 58.xxx public IP. Does it?
Yes Eugene, thats what i exactly want to do.
-
kpa is right.
-
Actually we have two ISP. one is WAN [reliance] and the other one is Aircel. In this i am trying route a specific source to any using additional static IP from Aircel ISP which starts with 58.x.x.x series.
-
In this case you have to choose proper Gateway in Firewall->Rules for this specific traffic.
-
Okay i think i am making some other mistake. Internet doesn't even work when i just set the outbound NAT rule. It just starts staying looking up google.com when i hit it on the browser. If i just allow full access to the domain and DNS server in Rules–> LAN isn't that enough ? or do i have to add any specific rules.
But it didn't state connecting to google.com when i hit it in the browser, so i am assuming its only DNS resolution needs to be corrected.
Any clue's where i would have gone wrong. -
In this case you have to choose proper Gateway in Firewall->Rules for this specific traffic.
Yes i checked it, its all set correctly to corresponding GW
-
How many interfaces do you have?
-
3 interfaces:
1. LAN
2. WAN - Reliance ISP
3. Aircel - ISP -
How come you have two networks 172.17.0.0/16 and 172.16.0.0/16 on LAN, what are setting (IP address/mask) on your LAN interface?
-
Actualy our Local LAN network is seperated into different VLAN using cisco catalyst switches.
IP : 172.16.0.0 /16 and 172.17.0.0/16 and 10.5.0.0/16
172.17.x.x for Wireless and 172.16.x.x for servers and 10.5.x.x for desktops like that. -
Little diagram/explanation would definitely have here
172.16.0.0/16 vlan x–--|catalyst|?.?.?.?/? vlan ?-----?.?.?.?/?pfSense
172.17.0.0/16 vlan y----| | -
Thats gonna be little hard …..i will try to explain you the best.
first -->server network[172.16.x.x/16] VLAN 10 –> connected to layer 3 switch ---> connected to pfsense [for internet]
GW - 172.16.1.10 for server vlan –> route o.o.o.o o.o.o.o. to pfsense 172.16.1.254 --> packets hits pfsense here.
why vlan coz we have few departments who system or files should not be accessed by others and the wifi we have about 5 profiles.
like VIP, staff and guest and so each profile gets a different IP range and cannot access other network. And why cisco switch b'coz it has a concept stacking which gives master and slave switch and both is binded including the ports. each port 1 GBPS so when binded it will work on 2 GBPS and even when one switch is down, it will still start working on the other one. -
Then I suspect you have to have on pfSense:
1. Rules on LAN allowing net 172.16.0.0/16 to go to Internet using default gateway.
2. Rules on LAN allowing net 172.17.0.0/16 to go to Internet using default 58.xx gateway.
3. Rules on LAN allowing net xxx to go to Internet using ??? gateway.
"allow to go to Internet" means TCP/UDP port 53, TCP ports 80 and 443 at least (and ICMP if you wish).On NAT->Outbound page you have to create NAT entries for all subnets on proper interfaces.