NAT 1:1 bimap dmz ip to public ip



  • Hi,

    • I am  newbie with regards building firewalls, however i have been trying to learn, please excuse me if I ask really simple questionms.
      I currently have 5 servers in the dmz. I however need to map those servers in the dmz to their respective public ips on the wan.

    Example

    10.0.0.5 –------> 123.xxx.xxx.xxx
    10.0.0.6 -------->124.xxx.xxx.xxx
    10.0.0.7---------->125.xxx.xxx.xxx

    In our old /etc/ipnat.rules.., btw where can i find this file in pfsense

    example

    bimap fxp0 10.0.0.7/32 -> 125.xxx.xxx.xxx/32 # portmap tcp/udp

    How do i put a similar rule in pfsense. I have already created the virtual ip 125.xxx.xxxx.xxxx/32 and created a NAT 1:1

    Any help, or sugestions would be greatly appreciated.


  • Rebel Alliance Developer Netgate

    You did all you need to do: add a VIP and 1:1 NAT entry.

    When you add firewall rules, be sure to make the destination the internal IP, not the public IP.

    It should all work at that point.



  • Hi Jimp,

    Thank you very much for your speedy reply. I also tried that, this is exactly what i did
    I added a Virtual proxy ARP. Under the NAT 1:1 page i created a

    1:1 mapping using the WAN interface

    For external subnet i used the public ip
    For internal subnet i used the private ip or the ip of the machine in the dmz

    Please see the images i have attached for a more detailed description. It still does not work, i am not able to reach the machine in the dmz even after i have done what you suggested, or atleast part. I think i might be missing something

    Thanks




    ![orange rules.JPG](/public/imported_attachments/1/orange rules.JPG)
    ![nat 1.JPG_thumb](/public/imported_attachments/1/nat 1.JPG_thumb)

    ![orange rules.JPG_thumb](/public/imported_attachments/1/orange rules.JPG_thumb)
    ![nat 1.JPG](/public/imported_attachments/1/nat 1.JPG)


  • Rebel Alliance Developer Netgate

    Those rules on the "orange" interface are unnecessary. Traffic would be coming from the server on that interface. If you don't have an allow all rule at the bottom, you really want the top rule, not the lower one in your screencap.



  • He Jimp,

    Thanks again. Okay I enable the  top rule like you suggested, but still no reply from the public ip??  I am baffled. I am going to  try to use CARP

    Any other suggestions

    Thanks
    –-------------------------------------------

    False alarm, i received a ping from the public ips after i used carp. However the public ips still dont route to the  dmz ips of the server. Any other suggestions


  • Rebel Alliance Developer Netgate

    Is the pfSense router also set as the gateway for the system involved with the 1:1 NAT?

    There are some other suggestions here:

    http://doc.pfsense.org/index.php/Port_Forward_Troubleshooting



  • Hi Jimp,

    Thanks again, after verifying that the gateway being used was indeed the firewall and then deleting and creating carp ips, everything works now for suree. The only problem now is that we use to have a mail server that would receive and send mail back out, however it does not work, however I think thats a topic for a different trend, so once again thanks much


Locked