Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Redirecting local traffic

    Scheduled Pinned Locked Moved General pfSense Questions
    7 Posts 4 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M Offline
      michialt
      last edited by

      I am returning to pfSense, and have installed 2.2.6 Release.  I was able to do this on a much older version but I cannot figure it out in the new UI.

      I have my local network assigned static IP addresses 192.168.100.* and what I need to do is to be able to setup a "fantom" local IP Address that is actually redirected through the firewall and to a public IP Address when my local computers access it.

      so as an example if 192.168.100.10 tries to FTP to 192.168.100.100 I need the firewall to actually connect to 8.8.8.8 and have this transparent to the local user…

      I need to do this on a handful of port for a short period...

      1 Reply Last reply Reply Quote 0
      • D Offline
        divsys
        last edited by

        I may be wrong, but my initial reaction is, Local traffic by definition won't pass through pfSense so you can't do that.

        The first slight variation I can think of would be to split your LAN into two pieces of 192.168.100.0/25 and 192.168.100.128/25.
        That way you can create a second interface to handle the "upper" 192.168.100.128/25 portion and "hide" your special servers at addresses from .128 to .255
        You could even change LAN to 192.168.100.0/26 and create three other 192.168.100.x/26 subnets (.64,.128,.192) if you have some addresses you can't move.

        You'll have to set the rules to allow traffic as you want and you'll be routing ALL traffic between the "lower" and "upper" subnets through pfSense which could be a bottleneck for your network.  But if it's only temporary, it might be worth a try.

        -jfp

        1 Reply Last reply Reply Quote 0
        • M Offline
          michialt
          last edited by

          The second option of splitting my network won't work, we have too many IP Addresses assigned to make that possible…

          In the older versions, you could basically handle it like NAT, and I was able to make it work.  I don't recall off the top of my head every step, but I know I was able to make it work in the past

          1 Reply Last reply Reply Quote 0
          • D Offline
            divsys
            last edited by

            There may be a way, but the basic issue is "how" can I watch traffic/route/etc traffic when pfSense doesn't need to be involved in the send/recv through your network switch?

            If the server's at .100 and my PC's at .10 the switch doesn't need to (and won't) send anything to .1 (pfSense) to handle my PC's request.

            The only other way that can work is if you make your requests to the server via a FQDN that is "dummy" routed through DNS.
            You make up a server name like "fred.locspace" in DNS and point it to a server @192.168.100.100.
            Then you have at least a possibility of adding routing rules to a request to ftp://fred.locspace.

            -jfp

            1 Reply Last reply Reply Quote 0
            • R Offline
              rubic
              last edited by

              @divsys:

              If the server's at .100 and my PC's at .10 the switch doesn't need to (and won't) send anything to .1 (pfSense) to handle my PC's request.

              You can direct the traffic to .1 using Proxy ARP VIP .100 on the LAN of pfSense

              1 Reply Last reply Reply Quote 0
              • DerelictD Offline
                Derelict LAYER 8 Netgate
                last edited by

                That should work. Then do a port forward on LAN on destination .100 to the NAT address and port.

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • D Offline
                  divsys
                  last edited by

                  I can see VIP and the desired server on the subnet are different addresses VIP .110 -> "real" .100
                  But I can't see how you can make it work if they're supposed to be the same VIP .100 -> "real" .100 for certain ports, which I think was the original question.
                  After rereading the OP, I see this is indeed what he was probably after, the "Fantom" IP is a Virtual IP under "Firewall>Virtual IPs".

                  -jfp

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.