New user with NAT and 1:1 problems



  • Hi all.
    I'm a new pfSense user, moved here from other products.
    I'm still learning how to do some of the things i was doing with the previous firewal product, but i didnt find a way to do a couple of rules i need badly.

    My setup is

    Lan: 10.0.0.0/16
    Wan: 192.168.160.0/24 (an MPLS one. I know. I didn't choose that…)
    OPT1 (another wan) 85.xxx.xxx.218

    on WAN, i have other sites using 192.168.170.0/24, 192.168.150.0/24 and 10.0.101.0/24 (again, it wasn't me who made this crap)

    now, i have some rules mapping 1:1 wan<>Lan, and those are working right, so machines on other sites are able do reach LAN ones here
    then, i have also a global dns server that resolve myfirm.priv with MPLS ips (192.168.x.x).

    What i still didnt manage do to, and was working with previous firewall software, is that when a machine in my LAN tries to access, for example, nas.myfirm.priv, that is 192.168.160.4 in the DNS, it has to be redirected to the LAN ip of the 1:1 mapped WAN addrest. For example, i was mapping outgoing  calls to 192.168.160.4, from LAN to WAN doing an 1:1NAT  to 10.0.0.4 (nas ip in LAN). How i can do the same with pfSense? No, split dns is not an option this time.

    Another thing i'm still trying to do, and its similar, is redirect calls from LAN to an external ip (for example 8.8.8.8) to another external ip (for example 8.8.4.4. I know, its only an example) transparently.

    There is one more thing i was doing and i'm not able to do right now, but i dont really know if it was "legit", and maybe even if it was working, i'm not sure if it was causing some of the problems i had with past firewal, and it's this:
    I was , with NAT and 1:1 nat, re-routing traffic from my LAN to the 10.0.101.0/24 MPLS wan, to let my LAN machines reach a couple of machines in the other LAN. And i was doing in this way:

    machine to reach: 10.0.101.1
    LAN client calls 10.1.101.1
    Firewall remap outgoing call 10.1.101.1 to 10.0.101.1 forcing to use the WAN gateway.
    It was workin.. LAN machines could reach RDP and SMB on the other machine in another site calling 10.1.101.1.
    I then had several problem with the firewall itself stop responding randomly to clients on both sides of the network, but me and support didnt manage to pinpoint the problem, so i moved from that product to pfSense. I'm not a real pro in networking, and maybe what i was doing was wrong. Anyway, there is a way to accomplish that with pfSense?



  • @Kedryn:

    What i still didnt manage do to, and was working with previous firewall software, is that when a machine in my LAN tries to access, for example, nas.myfirm.priv, that is 192.168.160.4 in the DNS, it has to be redirected to the LAN ip of the 1:1 mapped WAN addrest. For example, i was mapping outgoing  calls to 192.168.160.4, from LAN to WAN doing an 1:1NAT  to 10.0.0.4 (nas ip in LAN). How i can do the same with pfSense? No, split dns is not an option this time.

    You have to set the NAT reflection option in the NAT rule. However, I don't use it in 1:1 NAT, so I don't know if it works properly here.
    See also the NAT reflection settings in Advanced > Firewall & NAT

    @Kedryn:

    Another thing i'm still trying to do, and its similar, is redirect calls from LAN to an external ip (for example 8.8.8.8) to another external ip (for example 8.8.4.4. I know, its only an example) transparently.

    Just set up a NAT port forwarding rule. But if it should be really transparent, so that the respond comes from 8.8.8.8 you also need an outbound NAT rule for the LAN interface in addition to translate the source address in the respond.

    @Kedryn:

    There is one more thing i was doing and i'm not able to do right now, but i dont really know if it was "legit", and maybe even if it was working, i'm not sure if it was causing some of the problems i had with past firewal, and it's this:
    I was , with NAT and 1:1 nat, re-routing traffic from my LAN to the 10.0.101.0/24 MPLS wan, to let my LAN machines reach a couple of machines in the other LAN. And i was doing in this way:

    machine to reach: 10.0.101.1
    LAN client calls 10.1.101.1
    Firewall remap outgoing call 10.1.101.1 to 10.0.101.1 forcing to use the WAN gateway.
    It was workin.. LAN machines could reach RDP and SMB on the other machine in another site calling 10.1.101.1.
    I then had several problem with the firewall itself stop responding randomly to clients on both sides of the network, but me and support didnt manage to pinpoint the problem, so i moved from that product to pfSense. I'm not a real pro in networking, and maybe what i was doing was wrong. Anyway, there is a way to accomplish that with pfSense?

    So you want to route a part of LAN subnet to a gateway on WAN side.  ::) I can believe that this makes trouble, presumably also with pfSense.
    You can try a static route, but I'm in doubt…