Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    AWS 1:1 NAT

    Scheduled Pinned Locked Moved NAT
    4 Posts 2 Posters 661 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      joshuamichaelsanders
      last edited by

      I'm having a tough time getting a pfsense firewall configured correctly on AWS. I have a public subnet and private subnet configured on AWS and have attached the interfaces (eth0 172.16.2.10 & eth1 172.16.3.10) as outlined in https://www.netgate.com/docs/aws-vpn-appliance/vpc-guide.html. I then threw up a generic Windows server (ip address 172.16.3.50) on the private subnet running IIS so that I could test basic connectivity out (ping and RDP) and in (HTTP).

      I can't figure out how to host a webserver out to the Internet in this situation. Do I allocate a new elastic IP? What do I associate it with? I haven't been able to find anyone who has done this that has documented it anywhere on the Internet. I'm pretty sure this is possible but for the life of me I can't figure out how to configure it.

      1 Reply Last reply Reply Quote 0
      • J
        joshuamichaelsanders
        last edited by

        Well I thought the answer would be to assign a secondary IP address (172.16.3.11) to my eth0 interface in AWS and then associate an elastic IP to that secondary IP. I've created 1:1 NAT rules linking both the 172.16.3.11 and my new elastic IP to the internal IP address of my host 17216.3.50. I've placed any any any rules in both WAN and LAN and still I'm not able to ping either out or into the host in question.
        Would love some assistance here. We are wanting to roll out these firewalls to our AWS public facing hosts but if I can't get this POC working I'm going to have to go back to square 1.

        1 Reply Last reply Reply Quote 0
        • DerelictD
          Derelict LAYER 8 Netgate
          last edited by

          Like I was saying before, the VPC does 1:1 NAT between the elastic address and the interface address. The instance never holds the elastic IP - the VPC igw does.

          You would need to:

          1:1 NAT (or port forward 80/443) between the secondary address and the real address of the server

          Make sure the inside subnet has a routing table matching traffic to any address forwarding it to the inside pfSense interface.

          source/dest check on the pfSense instance (or its interfaces) should be disabled.

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          J 1 Reply Last reply Reply Quote 0
          • J
            joshuamichaelsanders @Derelict
            last edited by

            @derelict appreciate the response. A second reading of your comment straightened me out. Your kind hand holding has earned netgate a customer!

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.