Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    NAT traffic behind 3rd Party DMZ VIP

    Scheduled Pinned Locked Moved NAT
    4 Posts 2 Posters 2.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V
      vlw
      last edited by

      I want to NAT all traffic that goes out my 3rd Party DMZ interface to the VIP address of my 3rd Party DMZ interface which is 192.168.64.1.  In other words, if a user behind my LAN interface with source address of 170.198.10.20 needs to access a service on my 3rd Party DMZ, his source address of 170.198.10.20 will get translated to 192.168.64.1. I did the following:
      Firewall:NAT:outbound
      chose: manual outbound NAT generation rule
      interface: 3rd Party DMZ
      Source: Network 170.198.10.0/25 (my LAN network)
      Destination: any
      Translation: SHOULD I CHOOSE "INTERFACE ADDRESS" does that refer to the VIP of my 3rd party DMZ ?

      1 Reply Last reply Reply Quote 0
      • Y
        yanosz
        last edited by

        Hello,

        @vlw:

        I want to NAT all traffic that goes out my 3rd Party DMZ interface to the VIP address of my 3rd Party DMZ interface which is 192.168.64.1.  In other words, if a user behind my LAN interface with source address of 170.198.10.20 needs to access a service on my 3rd Party DMZ, his source address of 170.198.10.20 will get translated to 192.168.64.1. I did the following:
        Firewall:NAT:outbound
        chose: manual outbound NAT generation rule
        interface: 3rd Party DMZ
        Source: Network 170.198.10.0/25 (my LAN network)
        Destination: any
        Translation: SHOULD I CHOOSE "INTERFACE ADDRESS" does that refer to the VIP of my 3rd party DMZ ?

        In theory there is no need to nat, since 170.198.10.0/25 is public, global unique range. However (if you want to - for what reason ever) - if you're up to natting all traffic to a specific VIP and not the the interface address (for what reason ever), you should translate to the vip address.
        (btw. reboot the system, if no nat happens )

        Btw. It's somewhat peculiar, that your lan has a public adress range, while your dmz has not… ;)

        Keep smiling
        yanosz

        1 Reply Last reply Reply Quote 0
        • V
          vlw
          last edited by

          I want to use the VIP address b/c i have two pfsense firewalls.
          My VIP is 192.168.64.1 w/192.168.64.2 and .3 as the interface addresses.
          All these ip's are pingable. Another engineer created the VIP but when I look at the VIP page I do not see the 192.168.64.1.  How do I verify this VIP was created correctly.  Also, which interface do I put the rule on to allow the traffic from my LAN 170.198.10.0/25 to reach vendor address 167.x.x.x.  Session is initiated from my LAN.  Does it go on LAN interface or DMZ interface and how is it written, ie source/destination. Thanks.

          1 Reply Last reply Reply Quote 0
          • Y
            yanosz
            last edited by

            Hello,

            @vlw:

            I want to use the VIP address b/c i have two pfsense firewalls.
            My VIP is 192.168.64.1 w/192.168.64.2 and .3 as the interface addresses.
            All these ip's are pingable. Another engineer created the VIP but when I look at the VIP page I do not see the 192.168.64.1.  How do I verify this VIP was created correctly.

            The rabbit hole is deeper, than expected ;-)
            Have you read (and understood  ;D) http://doc.pfsense.org/index.php/Configuring_pfSense_Hardware_Redundancy_%28CARP%29 ?

            @vlw:

            Also, which interface do I put the rule on to allow the traffic from my LAN 170.198.10.0/25 to reach vendor address 167.x.x.x.  Session is initiated from my LAN.  Does it go on LAN interface or DMZ interface and how is it written, ie source/destination.

            Firewall rules on the incoming, outbound-nat-rules on the outgoing interface.

            Keep smiling
            yanosz

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.