Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    NAT back through WAN

    Scheduled Pinned Locked Moved NAT
    3 Posts 3 Posters 960 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      robgarrett
      last edited by

      I'm fairly well versed in how to use PFSense, but I'm no network guru. Here's my scenario…

      I'm using PFSense as a firewall between my home network and a virtual network that I have running on a VMWare server in my home.
      PFSense has two virtual NICs, one that binds to the physical network card on my VMWare host sever, and the other a virtual LAN interface.
      I have configured NAT rules that allow port forwarding from my home network to my virtual servers - all is good.
      I have configured my home network router's DMZ host to the PFSense server on my virtual LAN.
      I have additional rules that port forward incoming traffic to the PFSense server (destination) and NAT to local virtual servers, so I can access my virtual servers from across the Internet.

      I am now trying to expose a physical device that lives on my home network, via PFSense. Effectively, I want incoming Internet traffic to continue going to the DMZ PFSense server, and have PFSense NAT the incoming traffic on a designated port to the physical hardware on my home network, instead of the virtual LAN. Effetively, I am trying to NAT incoming WAN traffic back out to the same WAN interface to reach traffic on my home network.

      Summary of IPs:

      Home LAN: 192.168.1.0/24
      Home Router: 192.168.1.1/24
      Home DHCP: 192.168.1.1/24
      Home Router DMZ Host: 192.168.1.202

      VMWare Host: 192.168.1.201
      VMWare Internal LAN: 192.168.2.0/24

      PFSense External NIC Address: 192.168.1.202
      PFSense Internal NIC Address: 192.168.2.1

      Physical Device on my home LAN: 192.168.1.100

      So, in short, I am trying to NAT incoming WAN traffic (via DMZ) to 192.168.1.100, which is on the same subnet as the WAN NIC.

      BTW, My router does not allow multiple DMZ hosts and the port forwarding on my router is not as flexible as PFSense, which is why I'm not port forwarding on my edge router.

      Can anyone point me in the right direction?

      Thanks,

      Rob.

      P.S. Those IP addresses are not the real ones I use (for security).

      1 Reply Last reply Reply Quote 0
      • C
        captdragon
        last edited by

        I'm not expert but I think this should work. However, I don't think you'll be able to route all traffic 192.168.1.100 because then you won't be able to route other traffic to your VMs.

        I believe you'll simply need to be specific in your NAT rule to specify which ports you want NATed (ie. 192.168.1.100:443). And make sure you add the firewall rule as well.

        1 Reply Last reply Reply Quote 0
        • DerelictD
          Derelict LAYER 8 Netgate
          last edited by

          I don't think this will work.

          You need to do this port forward in your ISP router.

          A specific port forward should take precedence over the "DMZ" host setting. This is generally how it works.

          So put a port forward in your ISP router for WAN:443 to 192.168.1.100:443 and everything else should go to the "DMZ."

          If your ISP router is no good, put it in bridge mode and let pfSense get the public IP address.

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.