• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

NAT question

Scheduled Pinned Locked Moved NAT
7 Posts 4 Posters 884 Views 4 Watching
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • R Offline
    RolandW
    last edited by Mar 19, 2019, 5:18 PM

    I have a small office LAN with a few clients and a server on 10.16.0.128/25. It is connected to the LAN port of the pfsense (10.16.0.129). The WAN-port of the pfsense (10.16.0.1) is connected to an internet access gateway (VDSL-router on 10.16.0.2). WAN address space is 10.16.0.0/26. On the WAN side of the pfsense there is a webserver (10.16.0.7), that is accessible by all clients on the LAN side, but, for security reasons, has no access to the LAN side. At the moment this works fine. However, I'm planning a change the configuration, that will have the effect, that the LAN clients cannot access the WAN network segment (10.16.0.0/26) any more.
    Now my question: is it possible to create a virtual IP in the pfsense, lets say 10.16.0.130, that is directly forwarded to the webserver on WAN side, so that I can reach it by https://10.16.0.130 in the future (instead of https://10.16.0.7) from clients that are located within my LAN segment?
    If anybody knows a solution, please help!

    1 Reply Last reply Reply Quote 0
    • J Online
      johnpoz LAYER 8 Global Moderator
      last edited by Mar 19, 2019, 5:22 PM

      Why would you do that? Why not just allow the lan clients access to 10.60.0.7? on 443?

      An intelligent man is sometimes forced to be drunk to spend time with his fools
      If you get confused: Listen to the Music Play
      Please don't Chat/PM me for help, unless mod related
      SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

      1 Reply Last reply Reply Quote 0
      • R Offline
        RolandW
        last edited by Mar 19, 2019, 5:29 PM

        Dear johnpoz, what you suggest is the situation at the moment. It works fine. However, for a quite complicated reason, it would be desirable to have access to the webserver outside the LAN by using an IP-address within the LAN address space.

        1 Reply Last reply Reply Quote 0
        • V Offline
          viragomann
          last edited by Mar 19, 2019, 9:53 PM

          Also wondering what you try to achieve with that.
          However, yes, it is doable. Add 10.16.0.130 as an "IP alias" (Firewall > Virtual IPs) to the LAN interface, then add a NAT rule to forward that IP to the webserver.

          1 Reply Last reply Reply Quote 0
          • R Offline
            RolandW
            last edited by Mar 20, 2019, 9:27 PM

            @Viragomann: Thanks for the good news that this is possible. Now I tried a lot, but was not successful yet. When creating a VIP of type "IP alias" (10.16.0.130) for the LAN interface, I end up at the administrative surface of the pfSense, when connecting to this port. So I tried a VIP of "other" type. On the NAT mapping page, it is not clear to me, which kind of NAT mapping I should choose: "port forwarding", "1:1", "outbound" or "NPt", could you help me a step further?

            1 Reply Last reply Reply Quote 0
            • V Offline
              viragomann
              last edited by Mar 20, 2019, 9:36 PM

              So you use port 443 for the pfSense Web interface?
              You may change the port in System > Advanced > Admin Access.
              Also you should check "Disable webConfigurator redirect rule".

              1 Reply Last reply Reply Quote 0
              • D Offline
                Derelict LAYER 8 Netgate
                last edited by Mar 21, 2019, 12:45 AM

                Put the IP Alias VIP on LAN.

                Put a port forward on LAN forwarding connections to the VIP:443 to the Web Server:443.

                That will override the connection to the WebGUI. You will still get the web gui on the LAN address:443

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                7 out of 7
                • First post
                  7/7
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                  This community forum collects and processes your personal information.
                  consent.not_received