Routed public subnet



  • Hello,

    My ISP give me a public subnet wich is routed to a CARP VIP. I want to use thoses public adresses with services via NAT.

    So my ISP route my public subnet 198.200.200.60/30 to the INT CARP VIP 192.168.30.2.

    My goal is to NAT the web service from 192.168.60.100:80 to 198.200.200.62:80

    Could you help me to understand how to do that ?

    Thanks

    Kevin



  • You have to add each single IP of the routed subnet to your WAN. Firewall > Virtual IPs
    Type: IP Alias
    Interface: your WAN CARP VIP
    Enter the address and the correct mask.

    After that you can set you port-forwarding rules using the virtual IPs.

    You may also set up NAT 1:1 for the whole subnet within one single rule. This doesn't need the IP aliases.



  • Interface: your WAN CARP VIP

    To be sure, this is 192.168.30.2 ?

    I've a VPN server on the pfsense, wich is listening on the CAPR IP. Can I forward the traffic to it ?



  • @Kev!n:

    Interface: your WAN CARP VIP

    To be sure, this is 192.168.30.2 ?

    Yes, you should be able to select the IP from the drop-down: '192.168.30.2 (WAN VIP)'

    @Kev!n:

    I've a VPN server on the pfsense, wich is listening on the CAPR IP. Can I forward the traffic to it ?

    ??? The VPN server is already listening to the WAN CARP VIP. Where you want to forward it to? You may set the server to listen to the LAN IP or to localhost and forward the traffic to it.



  • Yes, you should be able to select the IP from the drop-down: '192.168.30.2 (WAN VIP)'

    So far this is working and it's great ! I can NAT 198.200.200.62:443 to  192.168.60.100:80 . \o/

    ??? The VPN server is already listening to the WAN CARP VIP. Where you want to forward it to? You may set the server to listen to the LAN IP or to localhost and forward the traffic to it.

    My vpn server is listening on '192.168.30.2 (WAN VIP)'. From the outside I want it to be accessible on 198.200.200.62:3232.
    I created nat 198.200.200.62:3232 to 192.168.30.2:3232 and firewall pass * * 192.168.30.2 3232 * both on TCP/UDP.
    I can see matching rules on the syslog but nothing more.



  • No, you cannot forward packets from one WAN VIP to another one. You can only forward it to any IP assigned to any other interface like LAN or localhost.

    But that seems not to be what you want. Just select the virtual IP 198.200.200.62 in the vpn server settings at Interface drop-down and it will listen on it. There's no forwarding needed for that.



  • :D why do i complicating things, you're perfectly right.

    It's now working. \o/

    Thank you very much.

    Kevin