NAT to a device with gw pointing to a different FW
-
Hi,
I am new to the forum. I went through the posted messages but couldn't find the answer to my problem:
We have a network behind a firewall. I try to setup pfSense as a second firewall. I have done the same thing with linux, and it works, but we want to have pfSense as standard in the company.
Internally, all devices have their default gateway pointing to the main firewall's LAN IP. From a second FW, I try to configure NAT to a PC (let's say MS-RDP=3389). Unless I change the default GW of the devices to the LAN interface of the second firewall, the NAT doesn't work. Changing the default GW or adding a secondary GW to all machines is (let's say) impractical. How can I do that?
In pfSense, I tried to add a virtual IP, and setup a NAT, and played unsuccessfully with Outbound NAT static options etc.
FYI, in linux iptables the following commands does the trick:
/sbin/ip addr del dev eth0 100.11.22.33
$IPTABLES -I PREROUTING -p tcp -t nat -d 100.11.22.33 –dport 3389 -j DNAT --to 172.16.8.171:3389
$IPTABLES -A POSTROUTING -p tcp -t nat -d 172.16.8.171 -j SNAT --to 172.16.8.2
$IPTABLES -I FORWARD -p tcp -i eth0 -d 172.16.8.171 -m state --state NEW -j ACCEPT
$IPTABLES -I FORWARD -p tcp -o eth1 -d 100.11.22.33 -m state --state NEW -j ACCEPT
/sbin/ip addr add dev eth0 100.11.22.33where 172.16.8.2 is the LAN IP of the secondary firewall running this rule, and the primary firewall's LAN (as well as the default gateway for all internal devices) is 172.16.8.1
from outside I can use the RDP by typing 100.11.22.33
Thank you in advance..
sbkom
-
On the second firewall, add an outbound NAT rule for LAN with the target of the port forward specified for the destination on the outbound NAT rule. This way it will see the second firewall's LAN IP as the source and reply to it directly instead of trying to reply through the default gateway.
-
Thank you for your response Efonne,
To clarify:
-On the Outbound NAT tab (Firewall:NAT:Outbound:Edit):
Interface=LAN
Protocol=any
Source type=Any
Source port=Any
Destination type=Network
Destination Address=172.16.8.171/32
Destination Port=Any
Translation Address=Interface Address
Port=Any
Static-port=Not checked
No XMLRPC Sync=Not Checked(Is it suppose to be like this? The above conf didn't work.) deleted
Edited: After changing the rule to manual config mode and saving, it worked.
Thank you very much.
SbKom