Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    2 public subnets / reach services behind

    NAT
    2
    3
    294
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      kreiSSage last edited by

      Hello guys.
      I am planning to get rid of an old linux based firewall (iptables)
      WAN part is a public /29 and LAN is also a public /24 with services like webservers / mail servers...
      Basically the firewall allows for each internal IP specific ports to be reachable from outside.
      I know the classic forwarding NAT WAN IP -> LAN IP but in this case it's something different since I have to be able to reach LAN part with the LAN IP insead of the relative WAN IP.
      For example pfsense interfaces:
      WAN: 100.100.100.1/29 GW 100.100.100.6/29
      LAN: 200.200.200.1/24
      I should be able to reach from outside 200.200.200.7:22(ssh) / :80(website)...
      Is it possible?

      1 Reply Last reply Reply Quote 0
      • Derelict
        Derelict LAYER 8 Netgate last edited by Derelict

        Yes. Assuming 200.200.200.0/24 is actually routed to 100.100.100.1 by the ISP.

        Just number the LAN with 200.200.200.1/24.

        Go to Firewall > NAT, Outbound, switch to Hybrid mode, and make a NO NAT rule on WAN for traffic sourced from 200.200.200.0/24

        Make a firewall rule on WAN passing traffic from any to 200.200.200.X TCP port 22/80.

        Chattanooga, Tennessee, USA
        The pfSense Book is free of charge!
        DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • K
          kreiSSage last edited by

          Thank you Derelict for your answer.
          I confirm your suggestion worked like a charm!

          1 Reply Last reply Reply Quote 1
          • First post
            Last post