Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    VIP using 1:1 NAT to pass all traffic to a specific internal host.

    NAT
    4
    4
    1129
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      fataldarkness
      last edited by

      Good morning (or afternoon) all,

      Internally we have two networks, a LAN and a DMZ. In the DMZ is an Exchange Edge Transport server and a Skype for Business Edge role server. Our "ISP" (A university 10. network has graciously given us two /16 subnets to work with) has a single connection coming to our pfSense box. We would like the Exchange and Skype servers to have their own external IP with full access to the outside network. For our WAN link we are using 10.162.13.160, for the servers I have created two virtual IPs 10.162.13.161 which should pass all incoming traffic to the Skype server (172.30.0.150) and 10.162.13.162 which should pass all incoming traffic to the Exchange server (172.30.0.12). Our end goal is to allow a client directly on the ISP network to have access to the Exchange and Skype servers.

      I believe this is accomplished with 1:1 NAT and Outbound NAT but I was wondering what these would look like, I am new to pfSense so I am still learning what everything does in context with each other. Any input/suggestions/help is greatly appreciated. Here is an image showing our setup.

      1 Reply Last reply Reply Quote 0
      • V
        viragomann
        last edited by

        Yes, you can do this with 1:1 NAT.

        However, consider that a 1:1 NAT rule on its own does not permit access. To allow incoming traffic you have to add appropriate firewall rules to the WAN interface. To allow outgoing traffic from the servers you have to add firewall rules to the DMZ interfaces.

        1 Reply Last reply Reply Quote 0
        • N
          nelioromao
          last edited by

          I think NAT is not the best option to have VOIP server. NAT can have same bad influence in VOIP Package and hard to debug.

          I my opinion just bridge WAN Port with the port that you have your VOIP server.
          And than you can use the static IP from your ISP direct on your VOIP server.

          Same Sample info about NAT and VOIP

          https://www.voip-info.org/wiki/view/NAT+and+VOIP
          http://kb.smartvox.co.uk/voip-sip/sip-nat-problem/

          1 Reply Last reply Reply Quote 0
          • I
            isolatedvirus
            last edited by

            @5E:

            I think NAT is not the best option to have VOIP server. NAT can have same bad influence in VOIP Package and hard to debug.

            I my opinion just bridge WAN Port with the port that you have your VOIP server.
            And than you can use the static IP from your ISP direct on your VOIP server.

            Same Sample info about NAT and VOIP

            https://www.voip-info.org/wiki/view/NAT+and+VOIP
            http://kb.smartvox.co.uk/voip-sip/sip-nat-problem/

            Hes setting up 1:1 natting, which shouldnt affect VOIP in this scenario. The culprit in this situation would be firewall rules blocking the incoming VOIP sessions.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post