NAT question



  • I have a small office LAN with a few clients and a server on 10.16.0.128/25. It is connected to the LAN port of the pfsense (10.16.0.129). The WAN-port of the pfsense (10.16.0.1) is connected to an internet access gateway (VDSL-router on 10.16.0.2). WAN address space is 10.16.0.0/26. On the WAN side of the pfsense there is a webserver (10.16.0.7), that is accessible by all clients on the LAN side, but, for security reasons, has no access to the LAN side. At the moment this works fine. However, I'm planning a change the configuration, that will have the effect, that the LAN clients cannot access the WAN network segment (10.16.0.0/26) any more.
    Now my question: is it possible to create a virtual IP in the pfsense, lets say 10.16.0.130, that is directly forwarded to the webserver on WAN side, so that I can reach it by https://10.16.0.130 in the future (instead of https://10.16.0.7) from clients that are located within my LAN segment?
    If anybody knows a solution, please help!


  • LAYER 8 Global Moderator

    Why would you do that? Why not just allow the lan clients access to 10.60.0.7? on 443?



  • Dear johnpoz, what you suggest is the situation at the moment. It works fine. However, for a quite complicated reason, it would be desirable to have access to the webserver outside the LAN by using an IP-address within the LAN address space.



  • Also wondering what you try to achieve with that.
    However, yes, it is doable. Add 10.16.0.130 as an "IP alias" (Firewall > Virtual IPs) to the LAN interface, then add a NAT rule to forward that IP to the webserver.



  • @Viragomann: Thanks for the good news that this is possible. Now I tried a lot, but was not successful yet. When creating a VIP of type "IP alias" (10.16.0.130) for the LAN interface, I end up at the administrative surface of the pfSense, when connecting to this port. So I tried a VIP of "other" type. On the NAT mapping page, it is not clear to me, which kind of NAT mapping I should choose: "port forwarding", "1:1", "outbound" or "NPt", could you help me a step further?



  • So you use port 443 for the pfSense Web interface?
    You may change the port in System > Advanced > Admin Access.
    Also you should check "Disable webConfigurator redirect rule".


  • LAYER 8 Netgate

    Put the IP Alias VIP on LAN.

    Put a port forward on LAN forwarding connections to the VIP:443 to the Web Server:443.

    That will override the connection to the WebGUI. You will still get the web gui on the LAN address:443


Log in to reply