2 firewall issue



  • Hello,

    I am new at PFsense and have an issue with a project. The gist of it is that I have 24 public ips that need to go through the pfsense then through another internal firewall (untangle) to a device. I have the rules for inbound correct I believe as I can access it from the public ip and port number.

    My issue is the outbound. I need it to route through the public ip that it comes in on that is assigned through NAT.

    Example:

    PFsense IP= 192.168.1.1
    Public IP =123.123.123.221:4443
    redirected IP= 192.168.250.250:4565

    Now 192.168.250.250 is the internal firewall so all public ips will route to that ip just a different port number. I thought I had the outbound NAT setup as I have

    Source: 192.168.250.250:4565

    NAT Address: 123.123.123.221:4443

    But it routes through our default ip like normal traffic. Our vendor for the device sees it coming from default ip. I do have it set on Hybrid outbound and like I said incoming it seems to work because I can reach the endpoint through the public ip and port just fine.

    Any help would be appreciated

    Thanks!



  • use 1:1 NAT and NAT reflection



  • So I would do a 1:1 for all 24 public ips and point it to the 192.168.250.250?

    Example:
    Wan redirect
    123.123.123.221 192.168.250.250
    123.123.123.222 192.168.250.250
    123.123.123.223 192.168.250.250
    etc

    Haven't used NAT reflection before but I turned it on. I am assuming this would look at the NAT rules to do the port change?

    Thanks



  • NAT reflection allows devices on the LAN side of the router to connect to the WAN IP and get redirected back inside. Otherwise the firewall will see the request coming in on the "wrong" interface and reject it. (an alternative is to use split DNS so LAN devices resolve to the LAN IP address)

    Take a look at https://docs.netgate.com/pfsense/en/latest/book/nat/1-1-nat.html if you haven't. Outbound should be handled automatically.

    NAT 1:1 doesn't change ports though, am I reading your post right that you need pfSense to change the port? 1:1 forwards all traffic for the WAN IP alias to the designated LAN IP.
    https://docs.netgate.com/pfsense/en/latest/book/nat/outbound-nat.html



  • @teamits

    Yeah I have 24 public ips that need to go through the pfsense then through an internal firewall (untangle) to connect to the 24 devices.

    The 24 ips will need nat for ports 4443 and 443 because they all will be forwarded to the 192.168.250.250. Then when they come back through the internal firewall I need it to go out the IP that it came in on. I have the coming in working on the public ip all the way to the headend device. But on the way out from the 250.250 to pfsense it is all going out the main WAN instead of the individual public ips.



  • I think on the outbound NAT you should have

    Source 192.168.250.250:4565
    Destination *
    NAT address 123.123.123.221
    Perhaps with Static Port set if you want it to retain the :4565 source.



  • Ok, I had it set up right then. From some reason, it doesn't come out right of the untangle so that may be my problem. But just wanted to make sure the outbound of the pfsense was setup right.

    Thanks


Log in to reply