1:1Nat, two public IPs for one server with one nic
-
@leonidas-o
I know this rule, but I don't know your others.
I's better assure of something than do some assumptions of it. But this seems to feckless here. -
@viragomann yes sure, I agree with the assumptions point.
Do I actually need port forwardings even though when having a 1:1 NAT entry setup or should it be doing something like that?I'm asking because I think I have something here. Your statement actually made me think:
"Both of your public IPs go to the same pfSense interface..."
I was wondering If I maybe need a port forwarding rule which is in front of the that mentioned traefik port forwarding. My thoughts were like, what if dest address as "WAN address" catches everything, so like all virtual IPs which belong to that WAN address. Would actually make sense, kind of.
And if you want to distinguish, you have to place a port forwarding for each of the VIPs (it is even available via a dropdown) in front of it like:Interface: WAN Proto: * Source addr: * Source ports: * Dest address: 10.10.10.3 Dest ports: * NAT IP: 10.1.1.57 NAT ports: *I refreshed the page with
https://94.x.x.Band was not seeing the traefik self signed cert, but the BBB services self signed cert. I think that's it, it could be that you are a true hero good sir.But what is the 1:1 Nat in the end doing If still need port forwardings and firewall rules?
-
@leonidas-o
No, the NAT 1:1 rule does the port forwarding, it doesn't need an additional rule for this if set properly.An 1:1 rule on WAN forward packets destined to, say 10.10.10.3, to 10.1.1.57 and translates the source IP in upstream packets from 10.1.1.57 to 10.10.10.3.
If your rule doesn't work recheck the settings.
-
@leonidas-o said in 1:1Nat, two public IPs for one server with one nic:
still need port forwardings and firewall rules
https://docs.netgate.com/pfsense/en/latest/nat/1-1.html
"All traffic initiated on the Internet destined for the specified public IP address on the mapping will be translated to the private IP address, then evaluated against the firewall ruleset on the inbound WAN interface. If matching traffic is permitted by the firewall rules to a target of the private IP address, it will be passed to the internal host." -
@viragomann @steveits thanks guys, yeah I'm starting to get a feeling for its behaviour. The most important part for me actually is: https://docs.netgate.com/pfsense/en/latest/nat/port-forwards.html#port-forwarding-and-1-1-nat
"Port forwards also take precedence over 1:1 NAT. If a port forward is defined on one external IP address forwarding a port to a host, and a 1:1 NAT entry is also defined on the same external IP address forwarding everything into a different host, then the port forward remains active and continues forwarding to the original host."
"Port forwards take precedence over 1:1 NAT", so as we found out that "WAN Address" matches the VIPS as well, I will have to change my port forward rules to just use the original WAN address 10.10.10.2 and ignore VIP (10.10.10.3).
I have to work on the BBB docker deployment atm, it is horrible to be honest, before I can test everything out. Will report back asap, but I think that's the key actually to get all working.
-
Couldn't make BigBlueButton work behind pfsense/opnsense with 1:1 NAT + Reflection etc., so I gave up on that approach. I still found a solution assigning the second public IP directly to the BBB VM, which I documented here: https://serverfault.com/questions/1121061/assigned-second-public-ip-to-vm-from-outside-not-reachable/1121266#1121266