NAT 1:1 bimap dmz ip to public ip

alphaadmin

Hi,

I am newbie with regards building firewalls, however i have been trying to learn, please excuse me if I ask really simple questionms.
I currently have 5 servers in the dmz. I however need to map those servers in the dmz to their respective public ips on the wan.

Example

10.0.0.5 –------> 123.xxx.xxx.xxx
10.0.0.6 -------->124.xxx.xxx.xxx
10.0.0.7---------->125.xxx.xxx.xxx

In our old /etc/ipnat.rules.., btw where can i find this file in pfsense

example

bimap fxp0 10.0.0.7/32 -> 125.xxx.xxx.xxx/32 # portmap tcp/udp

How do i put a similar rule in pfsense. I have already created the virtual ip 125.xxx.xxxx.xxxx/32 and created a NAT 1:1

Any help, or sugestions would be greatly appreciated.

jimp

You did all you need to do: add a VIP and 1:1 NAT entry.

When you add firewall rules, be sure to make the destination the internal IP, not the public IP.

It should all work at that point.

alphaadmin

Hi Jimp,

Thank you very much for your speedy reply. I also tried that, this is exactly what i did
I added a Virtual proxy ARP. Under the NAT 1:1 page i created a

1:1 mapping using the WAN interface

For external subnet i used the public ip
For internal subnet i used the private ip or the ip of the machine in the dmz

Please see the images i have attached for a more detailed description. It still does not work, i am not able to reach the machine in the dmz even after i have done what you suggested, or atleast part. I think i might be missing something

Thanks

wanrules.JPG_thumb

virtual.JPG_thumb
![orange rules.JPG](/public/imported_attachments/1/orange rules.JPG)
![nat 1.JPG_thumb](/public/imported_attachments/1/nat 1.JPG_thumb)

![orange rules.JPG_thumb](/public/imported_attachments/1/orange rules.JPG_thumb)
![nat 1.JPG](/public/imported_attachments/1/nat 1.JPG)

jimp

Those rules on the "orange" interface are unnecessary. Traffic would be coming from the server on that interface. If you don't have an allow all rule at the bottom, you really want the top rule, not the lower one in your screencap.

alphaadmin

He Jimp,

Thanks again. Okay I enable the top rule like you suggested, but still no reply from the public ip?? I am baffled. I am going to try to use CARP

Any other suggestions

Thanks
–-------------------------------------------

False alarm, i received a ping from the public ips after i used carp. However the public ips still dont route to the dmz ips of the server. Any other suggestions

jimp

Is the pfSense router also set as the gateway for the system involved with the 1:1 NAT?

There are some other suggestions here:

http://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

alphaadmin

Hi Jimp,

Thanks again, after verifying that the gateway being used was indeed the firewall and then deleting and creating carp ips, everything works now for suree. The only problem now is that we use to have a mail server that would receive and send mail back out, however it does not work, however I think thats a topic for a different trend, so once again thanks much