Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Nat public dns server and email server

    Scheduled Pinned Locked Moved NAT
    12 Posts 4 Posters 2.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • KOMK
      KOM
      last edited by

      If you create your 1:1 NAT (Firewall - NAT - 1:1), the required firewall rule should already be created for you.

      1 Reply Last reply Reply Quote 0
      • H
        hamed_forum
        last edited by

        I use nat 1-1
        My question is  for more security need determine which port to use? In firewall rule ..?

        1 Reply Last reply Reply Quote 0
        • KOMK
          KOM
          last edited by

          Yes, for the sake of security it is better to only allow access to the specific ports you require to enable service.  For mail and web servers, these ports are standard and well-known.  For my forwarded web server, I only allow TCP ports 80 and 443.

          1 Reply Last reply Reply Quote 0
          • H
            hamed_forum
            last edited by

            I have 100 public IP address and write 100 nat 1-1(100 defendant server)
            For all of the 100 IP I must write  2 line in firewall –-rule
            1- allowed only port need(for example DNS only allows 53 for local IP DNS serverv )
            2- block any-any for DNS IP DNS server local
            This is correct?
            First write 1 and then 2 in wan for local IP server  ?

            1 Reply Last reply Reply Quote 0
            • KOMK
              KOM
              last edited by

              For any forwarded server, you need a NAT definition that defines the link between your WAN IP and the LAN server, and you also need a firewall rule to allow the traffic to flow.

              1- allowed only port need(for example DNS only allows 53 for local IP DNS serverv )

              Correct.  DNS uses TCP/UDP 53 and that's all you need to forward for a working DNS.

              2- block any-any for DNS IP DNS server local

              I don't understand what you mean here.

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by

                You have 100 pubic IPs and they are not just routed to you, you have to nat them?  Why do you not just put these server behind pfsense on their public IP.. I find it hard to believe you have 100 public IPs that are not on a routed segment?

                Then you just need to firewall whatever you want to firewall vs setting up any sort of nat at all.

                I could see this as 2 rule total to be honest.. If what your want to allow is dns which is tcp/udp 53 and email which is smtp 25 I would think what your talking about this would be could be done in 2 rules

                On your wan with dest alias including the IPs you want to allow dns and 53 tcp/udp to
                And then a rule for tcp 25 doing the same thing an alias to the IPs you want to allow this too.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • H
                  hamed_forum
                  last edited by

                  yes i have 100 public ip and all of the route me.

                  2- block any-any for DNS IP DNS server local  : in attachement i show it

                  whats do you know?

                  dns2.jpg
                  dns2.jpg_thumb
                  dnsrule.png
                  dnsrule.png_thumb

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator
                    last edited by

                    If they ROUTE to you - what the F you doing nat for??

                    Put the /? whatever you have behind pfsense and just create firewall rules for what traffic you want to allow or deny..  That you would create vips and then nat is beyond crazy for that many IPs..

                    So you have a different network on your wan then these IPs reside in?  What cidr do you have you say 100 IPs so you have a /25 that is routed to you via a transit..  Or your isp gave you 100 IPs attached to their network??

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    1 Reply Last reply Reply Quote 0
                    • H
                      hamed_forum
                      last edited by

                      we have /24 public range .i say 100 for example

                      1 Reply Last reply Reply Quote 0
                      • johnpozJ
                        johnpoz LAYER 8 Global Moderator
                        last edited by

                        either way if that is a /24 routed to you - why are you natting it?  Just put it behind…  The only reason to do what your doing is its not actually routed to you via a transit - but your just handing off their connection.  Which is pretty shitty way to do it..

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.