How to set up Static/Persistent routes.



  • I have a subnet of public IPs 68.42.194.0/25

    What my colo does is they route all requests for 68.42.194.0/25 to 68.42.238.44 which is the IP of my router. Behind the router I have a private network 192.168.1.0/24.
    I want to map public IPs from 68.42.194.0/25 to my private IPs 192.168.1.0/24 as in:
    68.42.194.1 -> 192.168.1.1
    68.42.194.2 -> 192.168.1.2
    68.42.194.3 -> 192.168.1.3
    etc….
    How can I accomplish this in PFsense?
    So any time someone accesses 68.42.194.1 from the outside, the router transparently routes them to 192.168.1.1 on the private network. Of course when 192.168.1.1 initiates a request to the outside, the router maps them to 68.42.194.1. Same goes for any other IP.

    If I were to write those rules out in iptables, here is how I would have done it:
    given eth1 is the outside interface.
    iptables -t nat -I PREROUTING -i eth1 -d 68.42.194.1 -s 0/0 -j DNAT --to 192.168.1.1
    iptables -t nat -I POSTROUING -o eth1 -s 192.168.1.1 -j SNAT --to-source 68.42.194.1

    I hope if makes sense. Thanks for any help.



  • Unless I am missing something, this is vanilla 1:1 NAT.  STF for info on that.



  • That's what I figured, but I can't get it to work.
    For instance I have this in my NAT 1:1 right now:
    WAN  68.42.194.2/32  192.168.1.3/32
    trying to map 68.42.194.2 to 192.168.1.3
    but when I ping 68.42.194.2 I get no results. Also I am running tcpdump icmp -n on 192.168.1.3 to see if those icmp packets make it past the router, but I don't see anything.



  • What know what, this:
    WAN      68.42.194.2/32      192.168.1.3/32
    has solved one problem: going from inside out. In other words when 192.168.1.3 initiates a request to the outside world, everyone sees it as 68.42.194.2 now. That worked and it's great.
    I guess what I have left to figure out is how to route all request to 68.42.194.2 from outside to 192.168.1.3



  • So you're saying that you can successfully browse the web, etc, from 192.168.1.3 now? If so, then it sounds like all you need to do now is set up your firewall rules. On the interface where your public IPs lie (WAN?) you need to set up rules to allow the incoming traffic. The destination will be the LAN address and port(s). To see an example, add a regular port forward and let it generate the firewall rules automatically, then look at the rule it generates and use it as a guide.


Log in to reply