NAT 1:1 bimap dmz ip to public ip
-
Hi,
- I am newbie with regards building firewalls, however i have been trying to learn, please excuse me if I ask really simple questionms.
I currently have 5 servers in the dmz. I however need to map those servers in the dmz to their respective public ips on the wan.
Example
10.0.0.5 –------> 123.xxx.xxx.xxx
10.0.0.6 -------->124.xxx.xxx.xxx
10.0.0.7---------->125.xxx.xxx.xxxIn our old /etc/ipnat.rules.., btw where can i find this file in pfsense
example
bimap fxp0 10.0.0.7/32 -> 125.xxx.xxx.xxx/32 # portmap tcp/udp
How do i put a similar rule in pfsense. I have already created the virtual ip 125.xxx.xxxx.xxxx/32 and created a NAT 1:1
Any help, or sugestions would be greatly appreciated.
- I am newbie with regards building firewalls, however i have been trying to learn, please excuse me if I ask really simple questionms.
-
You did all you need to do: add a VIP and 1:1 NAT entry.
When you add firewall rules, be sure to make the destination the internal IP, not the public IP.
It should all work at that point.
-
Hi Jimp,
Thank you very much for your speedy reply. I also tried that, this is exactly what i did
I added a Virtual proxy ARP. Under the NAT 1:1 page i created a1:1 mapping using the WAN interface
For external subnet i used the public ip
For internal subnet i used the private ip or the ip of the machine in the dmzPlease see the images i have attached for a more detailed description. It still does not work, i am not able to reach the machine in the dmz even after i have done what you suggested, or atleast part. I think i might be missing something
Thanks
![orange rules.JPG](/public/imported_attachments/1/orange rules.JPG)
![nat 1.JPG_thumb](/public/imported_attachments/1/nat 1.JPG_thumb)
![orange rules.JPG_thumb](/public/imported_attachments/1/orange rules.JPG_thumb)
![nat 1.JPG](/public/imported_attachments/1/nat 1.JPG) -
Those rules on the "orange" interface are unnecessary. Traffic would be coming from the server on that interface. If you don't have an allow all rule at the bottom, you really want the top rule, not the lower one in your screencap.
-
He Jimp,
Thanks again. Okay I enable the top rule like you suggested, but still no reply from the public ip?? I am baffled. I am going to try to use CARP
Any other suggestions
Thanks
–-------------------------------------------False alarm, i received a ping from the public ips after i used carp. However the public ips still dont route to the dmz ips of the server. Any other suggestions
-
Is the pfSense router also set as the gateway for the system involved with the 1:1 NAT?
There are some other suggestions here:
http://doc.pfsense.org/index.php/Port_Forward_Troubleshooting
-
Hi Jimp,
Thanks again, after verifying that the gateway being used was indeed the firewall and then deleting and creating carp ips, everything works now for suree. The only problem now is that we use to have a mail server that would receive and send mail back out, however it does not work, however I think thats a topic for a different trend, so once again thanks much