Internal IP not hidden from OPT ?

  • Hello !

    I'm sorry if my question has already been posted but… didn't find my way.

    What I'd like to do : to hide LAN's IP from OPT1 DMZ. It seems that OPT1 acts like a router...

    My config :
    On LAN : server1 on (I know, public IP... I can't choose). Interface LAN on
    On OPT1 : server2 on Interface OPT1 on server1's VIP on (proxy ARP).
    I created 1:1 NAT between and all right.
    I created rules on OPT1 to allow any flow from to anywhere... right.

    My problem is : if I reduce these rules to only from to, I loose the link. And if I allow to, in this case server2 can contact server1 on both IP : and
    I don't want server2 to be able to know server1's IP. I wish I get a response only from server1's VIP, not from its real IP ! In this last case, PF acts as a router on interface OPT1...
    How could I do ? Is "transparent firewall" a solution ?

    Thank you for help !

  • Coul you post your rule in picture imaging ….

    So I can analyze it further ..

  • I'm not sure i understand your problem correctly, but it sound as if you want to NAT from LAN to OPT1.

    For that go to firewall –> NAT --> outbound and enable advanced outbound NAT.
    Now you can make your own NAT rules below.

  • Thanks for your answers. And sorry for my late reply… not there...

    Well, romizone, I attach the picture you requested. I come from CISCO PIX world, and I realize that things are not exactly the same ones, so I apologize if I don't understand everything on first pass  :D

    GruensFroeschli, you're right : I want to NAT from LAN to OPT1. OPT1 is my DMZ and I want to hide LAN's addresses.
    I used both 1:1 NAT ( to my VIP and Advanced outbound NAT ( to on OPT1 interface). But... I don't understand really why I should set advanced outbound NAT since I use 1:1 NAT on addresses intersting me  ???  Isn't "advanced outbound NAT" only used for outgoing connections, such as connections from server1 to server2's services ?
    Only server2 should be able to join server1. Server1 "never" has to join server2. I mean for its replies to server2's requests, server2 should "see" the VIP address as source address.

    I don't know if I'm clear enough ! I hope you'll understand me  :D

  • Which interface did you apply the 1:1 NAT on?  It should be on the DMZ (OPT1) interface.  If it's not translating properly, we'll probably need to see your /tmp/rules.debug file and possibly a screenshot of your 1:1 settings.


  • As you said it, I applied 1:1 NAT on OPT1, Bill. My VIP is also created on OPT1.
    I reproduced exactly the same "problem" in VM (through VMWARE Workstation). I'll send you the pictures of my config, and the file you want to.
    Isn't it "normal" to be able to contact server1 on both addresses (true IP and VIP) since the rule allow traffic from server2 to server1's real IP ?

    Thanks everybody for spending your precious time on my little question  :)

    Greetings from Nantes, France –- awful weather...  :-\

  • Here is the picture of the 1:1 NAT.
    Is it correct ?
    Outbound is set to "Manual Outbound NAT", and there is NO rule created (I erased the only one auto-generated).

Log in to reply