Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    NAT 1:1 bimap dmz ip to public ip

    NAT
    2
    7
    3814
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      alphaadmin last edited by

      Hi,

      • I am  newbie with regards building firewalls, however i have been trying to learn, please excuse me if I ask really simple questionms.
        I currently have 5 servers in the dmz. I however need to map those servers in the dmz to their respective public ips on the wan.

      Example

      10.0.0.5 –------> 123.xxx.xxx.xxx
      10.0.0.6 -------->124.xxx.xxx.xxx
      10.0.0.7---------->125.xxx.xxx.xxx

      In our old /etc/ipnat.rules.., btw where can i find this file in pfsense

      example

      bimap fxp0 10.0.0.7/32 -> 125.xxx.xxx.xxx/32 # portmap tcp/udp

      How do i put a similar rule in pfsense. I have already created the virtual ip 125.xxx.xxxx.xxxx/32 and created a NAT 1:1

      Any help, or sugestions would be greatly appreciated.

      1 Reply Last reply Reply Quote 0
      • jimp
        jimp Rebel Alliance Developer Netgate last edited by

        You did all you need to do: add a VIP and 1:1 NAT entry.

        When you add firewall rules, be sure to make the destination the internal IP, not the public IP.

        It should all work at that point.

        1 Reply Last reply Reply Quote 0
        • A
          alphaadmin last edited by

          Hi Jimp,

          Thank you very much for your speedy reply. I also tried that, this is exactly what i did
          I added a Virtual proxy ARP. Under the NAT 1:1 page i created a

          1:1 mapping using the WAN interface

          For external subnet i used the public ip
          For internal subnet i used the private ip or the ip of the machine in the dmz

          Please see the images i have attached for a more detailed description. It still does not work, i am not able to reach the machine in the dmz even after i have done what you suggested, or atleast part. I think i might be missing something

          Thanks




          ![orange rules.JPG](/public/imported_attachments/1/orange rules.JPG)
          ![nat 1.JPG_thumb](/public/imported_attachments/1/nat 1.JPG_thumb)

          ![orange rules.JPG_thumb](/public/imported_attachments/1/orange rules.JPG_thumb)
          ![nat 1.JPG](/public/imported_attachments/1/nat 1.JPG)

          1 Reply Last reply Reply Quote 0
          • jimp
            jimp Rebel Alliance Developer Netgate last edited by

            Those rules on the "orange" interface are unnecessary. Traffic would be coming from the server on that interface. If you don't have an allow all rule at the bottom, you really want the top rule, not the lower one in your screencap.

            1 Reply Last reply Reply Quote 0
            • A
              alphaadmin last edited by

              He Jimp,

              Thanks again. Okay I enable the  top rule like you suggested, but still no reply from the public ip??  I am baffled. I am going to  try to use CARP

              Any other suggestions

              Thanks
              –-------------------------------------------

              False alarm, i received a ping from the public ips after i used carp. However the public ips still dont route to the  dmz ips of the server. Any other suggestions

              1 Reply Last reply Reply Quote 0
              • jimp
                jimp Rebel Alliance Developer Netgate last edited by

                Is the pfSense router also set as the gateway for the system involved with the 1:1 NAT?

                There are some other suggestions here:

                http://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

                1 Reply Last reply Reply Quote 0
                • A
                  alphaadmin last edited by

                  Hi Jimp,

                  Thanks again, after verifying that the gateway being used was indeed the firewall and then deleting and creating carp ips, everything works now for suree. The only problem now is that we use to have a mail server that would receive and send mail back out, however it does not work, however I think thats a topic for a different trend, so once again thanks much

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post

                  Products

                  • Platform Overview
                  • TNSR
                  • pfSense Plus
                  • Appliances

                  Services

                  • Training
                  • Professional Services

                  Support

                  • Subscription Plans
                  • Contact Support
                  • Product Lifecycle
                  • Documentation

                  News

                  • Media Coverage
                  • Press
                  • Events

                  Resources

                  • Blog
                  • FAQ
                  • Find a Partner
                  • Resource Library
                  • Security Information

                  Company

                  • About Us
                  • Careers
                  • Partners
                  • Contact Us
                  • Legal
                  Our Mission

                  We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                  Subscribe to our Newsletter

                  Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                  © 2021 Rubicon Communications, LLC | Privacy Policy