Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Single LAN host, multiple IPs and NAT

    Scheduled Pinned Locked Moved Routing and Multi WAN
    3 Posts 2 Posters 317 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      clarknova
      last edited by clarknova

      pfSense 2.4.5 is going to replace OpenBSD as firewall.

      firewall has multiple WAN interfaces, including:

      • PUB03 - 192.0.2.18
      • PUB06 - 198.51.100.114

      LAN host has two IIS sites, each bound to its own IP address on a single NIC:

      • 10.7.47.100
      • 10.7.47.101

      Port forwards are configured in pfSense:

      • 192.0.2.18:[80,443] > 10.7.47.100
      • 198.51.100.114:[80,443] > 10.7.47.101

      In OpenBSD we configure the PUB03 interface as default outbound NAT. PUB06 interface is part of rdomain 17, and the port forward rule looks like this:

      pass in  quick on rdomain 17 proto tcp to 198.51.100.114 port { 80 443 } rdr-to 10.7.47.101 rtable 0 tag web02
pass out quick on pub06 tagged wcweb02

      In pfSense, how do I ensure that replies from IIS to the internet client are NATted back out the interface they came in on? Is it just a matter of setting the gateway to PUB06 in my outbound NAT rule for 10.7.47.101? Do I need to adjust any of the advanced options in the PUB06 filter rule?

      db

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @clarknova
        last edited by

        @clarknova said in Single LAN host, multiple IPs and NAT:

        In pfSense, how do I ensure that replies from IIS to the internet client are NATted back out the interface they came in on?

        Presupposed there is a gateway defined on the interface where the traffic is coming in, that's the default behavior in pfSense. It is controlled by the reply-to flag which is by default enabled in firewall rules. So there's no need to care about it.

        If outgoing connections from the server to the internet should be directed out to a specific WAN interface apart the default gateway, you will have to set up a policy routing rule.

        1 Reply Last reply Reply Quote 1
        • C
          clarknova
          last edited by

          Brilliant, I was hoping it would be that simple. Thank you.

          db

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.