Single LAN host, multiple IPs and NAT

clarknova

pfSense 2.4.5 is going to replace OpenBSD as firewall.

firewall has multiple WAN interfaces, including:

PUB03 - 192.0.2.18
PUB06 - 198.51.100.114

LAN host has two IIS sites, each bound to its own IP address on a single NIC:

10.7.47.100
10.7.47.101

Port forwards are configured in pfSense:

192.0.2.18:[80,443] > 10.7.47.100
198.51.100.114:[80,443] > 10.7.47.101

In OpenBSD we configure the PUB03 interface as default outbound NAT. PUB06 interface is part of rdomain 17, and the port forward rule looks like this:

pass in  quick on rdomain 17 proto tcp to 198.51.100.114 port { 80 443 } rdr-to 10.7.47.101 rtable 0 tag web02
pass out quick on pub06 tagged wcweb02

In pfSense, how do I ensure that replies from IIS to the internet client are NATted back out the interface they came in on? Is it just a matter of setting the gateway to PUB06 in my outbound NAT rule for 10.7.47.101? Do I need to adjust any of the advanced options in the PUB06 filter rule?

viragomann

@clarknova said in Single LAN host, multiple IPs and NAT:

In pfSense, how do I ensure that replies from IIS to the internet client are NATted back out the interface they came in on?

Presupposed there is a gateway defined on the interface where the traffic is coming in, that's the default behavior in pfSense. It is controlled by the reply-to flag which is by default enabled in firewall rules. So there's no need to care about it.

If outgoing connections from the server to the internet should be directed out to a specific WAN interface apart the default gateway, you will have to set up a policy routing rule.

clarknova

Brilliant, I was hoping it would be that simple. Thank you.