Nat public dns server and email server

  • hi
    i attache the senario
    i use nat 1-1 .nat public ip to locaL  ip.
    plz  write on Example about correct nat in pfsense (same only port 53 nat to dns server and other port for dns server  block).where write ?(Firewall–-Rules)

  • What?

  • If you create your 1:1 NAT (Firewall - NAT - 1:1), the required firewall rule should already be created for you.

  • I use nat 1-1
    My question is  for more security need determine which port to use? In firewall rule ..?

  • Yes, for the sake of security it is better to only allow access to the specific ports you require to enable service.  For mail and web servers, these ports are standard and well-known.  For my forwarded web server, I only allow TCP ports 80 and 443.

  • I have 100 public IP address and write 100 nat 1-1(100 defendant server)
    For all of the 100 IP I must write  2 line in firewall –-rule
    1- allowed only port need(for example DNS only allows 53 for local IP DNS serverv )
    2- block any-any for DNS IP DNS server local
    This is correct?
    First write 1 and then 2 in wan for local IP server  ?

  • For any forwarded server, you need a NAT definition that defines the link between your WAN IP and the LAN server, and you also need a firewall rule to allow the traffic to flow.

    1- allowed only port need(for example DNS only allows 53 for local IP DNS serverv )

    Correct.  DNS uses TCP/UDP 53 and that's all you need to forward for a working DNS.

    2- block any-any for DNS IP DNS server local

    I don't understand what you mean here.

  • LAYER 8 Global Moderator

    You have 100 pubic IPs and they are not just routed to you, you have to nat them?  Why do you not just put these server behind pfsense on their public IP.. I find it hard to believe you have 100 public IPs that are not on a routed segment?

    Then you just need to firewall whatever you want to firewall vs setting up any sort of nat at all.

    I could see this as 2 rule total to be honest.. If what your want to allow is dns which is tcp/udp 53 and email which is smtp 25 I would think what your talking about this would be could be done in 2 rules

    On your wan with dest alias including the IPs you want to allow dns and 53 tcp/udp to
    And then a rule for tcp 25 doing the same thing an alias to the IPs you want to allow this too.

  • yes i have 100 public ip and all of the route me.

    2- block any-any for DNS IP DNS server local  : in attachement i show it

    whats do you know?

  • LAYER 8 Global Moderator

    If they ROUTE to you - what the F you doing nat for??

    Put the /? whatever you have behind pfsense and just create firewall rules for what traffic you want to allow or deny..  That you would create vips and then nat is beyond crazy for that many IPs..

    So you have a different network on your wan then these IPs reside in?  What cidr do you have you say 100 IPs so you have a /25 that is routed to you via a transit..  Or your isp gave you 100 IPs attached to their network??

  • we have /24 public range .i say 100 for example

  • LAYER 8 Global Moderator

    either way if that is a /24 routed to you - why are you natting it?  Just put it behind…  The only reason to do what your doing is its not actually routed to you via a transit - but your just handing off their connection.  Which is pretty shitty way to do it..

Log in to reply