1 to 1 NAT for LAN subnet to WAN
-
viragomann -
mmm... i dont understand sorry...
i have only this one WAN ip address assigned to me via my ISP 193.203.70.54 out of there /22 range/subnet
so do i need more than one WAN ip address for this to work, i could ask for another ip from my ISP?
AndresCT46 -
sounds great, i will give it a go and see what happens
so even if i have one WAN ip address provided by my ISP, i can still create a virtual ip using the same WAN ip address
also "destination" wouldnt this be there WAN ip address, so only they can access my LAN otherwise everyone can externally?
thanks a lot guys i really do appreciate it!!!
-
Is necessary that you have a public IP available.
You can't use your current IP WAN to generate a virtual IP, your ISP must provide you with an additional public IP.
When you perform the exercise, please verify that in the rules of your WAN you generate the rule that allows the traffic to the destination you need, otherwise you must generate the rule, this forget to say it previously.
-
If you can't acquire an additional public IP, my advice is that you generate an IPSec from your pFsense to your client's UTM
-
Ok so i cant use my current wan ip of my router 193.203.70.54
So i need to get an additional wan ip from my isp and i cqn use that to create a virtual ip?
-
When you say generate an ipsec, do you mean create an ipsec vpn
-
Yes, Internet Protocol Security (IPSec VPN)
-
But they would need to create an ipsec there end aswell so the two can talk to eachother ie site to site ipsec vpn
Is there no otherway to achieve this
-
A GRE tunnel was already mentioned by jonhpoz.
No, there is no other way than any kind of a tunnel to achieve that. -
It is correct, your client must also generate an IPSec connection in your UTM to have a secure connection from LAN to LAN.
If you intend to generate a NAT through your WAN with destination your entire LAN network, pFsense will not understand the meaning of this NAT and will simply do not anything about it, because pFsense will not have a specific destination to redirect your request.
This is the meaning of doing a NAT, this is how pFsense enables connections from the WAN to an internal and specific query service on your LAN.
I insist, the best option is generate IPSec in your pFsense and in the UTM of your client.
-
You can do 1:1 NAT but since you only have one address you can only do one of them. And that will remove the ability to bind anything else on the WAN address.
If they only want to connect to one service, you can port forward:
Wan_Address:3389 10.30.0.1:3389
Wan_Address:3390 10.30.0.2:3389
Wan_Address:3391 10.30.0.3:3389
Wan_Address:3392 10.30.0.4:3389
etc.As has been said above, A VPN is how this is done. That is what you should insist on. Anything else is pretty much wrong.
-
a GRE tunnel sounds interesting, how do you do that
is that with 1 to 1 NAT or via IPsec
-
Once you have a tunnel there is no need for 1:1 nat or any nat.. The tunnel is used to route the traffic to get to your network.. The whole POINT to a vpn..
If you were going to create a tunnel - there is zero reason not to encrypt it because its going over the public internet.
