Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    I think VIP and internal servers

    Scheduled Pinned Locked Moved HA/CARP/VIPs
    9 Posts 3 Posters 849 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      froussy
      last edited by froussy

      Good day,

      Actually, i'm running with a Fortigate and migrating to a XG-7100

      At another site I have a SG-2200 and I'm able to do port forwarding without any issue.

      Here is a topo:

      I have 2x /28 (xxx.113.10.96/28 (my main one) and xxx.253.240.240/28 (which is route to my other /28)

      My WAN ip is xxx.113.10.98/28.

      I have differents ip that serve for different service..

      xxx.113.10.101 - > 192.168.4.37 - Port 443
      xxx.113.10.104 -> 192.168.4.13 - Port 25
      xxx.253.240.241 -> 192.168.30.10 - Port 80 and 443

      External IP get to an internal server ip with a specfic port.

      So, how can I do that. I'm totally lost.

      Thanks a lot!

      edit: added a port to an IP

      1 Reply Last reply Reply Quote 0
      • dotdashD
        dotdash
        last edited by dotdash

        Just add the IPs from the second subnet in as VIPs (I'd use CARP type) and create the port-forwards.
        Edit- to clarify, add them just like you would add the ones on your WAN- the 101 and the 104.

        1 Reply Last reply Reply Quote 0
        • F
          froussy
          last edited by froussy

          I dont seem to be able to use carp.. I only have one device. no HA

          Is it more 1:1 nat ?

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by Derelict

            You don't need a VIP for the routed subnet addresses. All you do is make a port forward.

            If you WANT to make a VIP for the addresses you can make an Other type VIP that serves as a menu item when you are doing things like creating port forwards but really does nothing. A port forward will work with or without an Other type VIP.

            You do need some sort of VIP for the interface subnet addresses because they need to respond to ARP. I would use IP Alias in that case, not CARP. (You don't need to be running HA to use CARP VIPs, but I would say that if you're not running HA IP Alias is the better choice, generally.

            https://docs.netgate.com/pfsense/en/latest/book/nat/port-forwards.html

            https://www.netgate.com/docs/pfsense/nat/forwarding-ports-with-pfsense.html

            https://docs.netgate.com/pfsense/en/latest/nat/port-forward-troubleshooting.html

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • F
              froussy
              last edited by

              Thanks Derelict. Based on what you suggested me i found it !

              And.. another quicky... from specific machine internally, i want them to use a specific IP when accessing the net..

              like users get with a .110 ip
              my mail server use .104 ip.. ?

              1 Reply Last reply Reply Quote 0
              • DerelictD
                Derelict LAYER 8 Netgate
                last edited by

                Set your Outbound NAT how you want for specific sources.

                https://docs.netgate.com/pfsense/en/latest/book/nat/outbound-nat.html

                Chattanooga, Tennessee, USA
                A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                Do Not Chat For Help! NO_WAN_EGRESS(TM)

                1 Reply Last reply Reply Quote 0
                • F
                  froussy
                  last edited by

                  Again.. thanks a lot..

                  just to be sure... in the source.. it say network.. but I can add one internal ip (like 192.168.4.13/32) rather than a network?Capture.PNG

                  1 Reply Last reply Reply Quote 0
                  • DerelictD
                    Derelict LAYER 8 Netgate
                    last edited by

                    Yes, for a single source host use /32

                    Chattanooga, Tennessee, USA
                    A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                    DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                    Do Not Chat For Help! NO_WAN_EGRESS(TM)

                    1 Reply Last reply Reply Quote 0
                    • F
                      froussy
                      last edited by

                      Thanks a lot!

                      you cant imagine the help you just gave me! :)

                      Frank

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.