NAT 1:1 question
I just ditched our Cisco router and installed pfsense box and got it to work thanks to the great minds here in pfsense forum!
One of the things that made us shift to pfsense was its NAT 1:1 feature that was also present in our Cisco Router. Now I have a bunch of several public IP addresses that I want to assign to several internal IP addresses in our network. This is where I need help.
Okay so I added all the public IP address that I wanted to bind in our internal network but it confuses me since we where not given any subnet mask by our ISP regarding the public IP addresses they provided us. So I don't know what to set in the /32 part.
Would be okay if I just place my Public IP then /32 resulting in
121.96.xx.xxx/32 for the external then I would like to assign it to
192.168.x.x for the internal part?
If that is good, Do I have to make a rule in the firewall to allow the source IP to the destination IP?
Basically we are using NAT1:1 because we want to utilize our asterisk server in the office to make calls at home.
Any insight,opinion and help is very much appreciated.
If you don't have the subnet details for your public IPs, add them individually to Firewall | Virtual IPs with a /32 subnet.
In Firewall | NAT | 1:1, create a rule for each public IP that needs 1:1 NAT, also specify a single internal IP and a /32 for the internal subnet.
1:1 traffic also passes through the firewall filter so you will have to create firewall rules to allow traffic through.
Hope this helps.
you may also find that you have to change the Outbound NAT to manual and select Static Port for your asterisk to work with NAT.
An alternative solution is to put a public IP directly on your asterisk box and hook it up to another interface on pfSense that is bridged to your WAN. That way there is no NAT involved (which Asterisk prefers) and the bridged interface still goes through the firewall filter so you can still block traffic.
I have sites with both methods used for asterisk and both work!
Thanks again for helping me.
So First , you want me to add individually the Public IPs as Virtual IPs as Proxy ARP or as Other?
Second, add them again in the NAT 1:1 under the firewall tab.
Third, create a LAN or WAN firewall rule manually that will allow the source IP to the destination IP correct?
Regarding your other alternative, We have 3 asterisk servers here in the office so should I add 3 more NIC to our pfsense box ang connect them directly to the new NIC and bridge them all to the WAN interface?
Thanks again gob. Sorry if i'm such a hassle ;D
No Hassle at all.
yes, correct regarding the NATing.
Add one bridged interface to pfSense. Plug that into a switch and plug you 3x Asterisk into that switch.
Set the public IPs straight on the Asterisk boxes and configure their gateway to the IP of your Modem/Router.
Can I just bridge the current LAN inteface since it's already connected to a switch that is connected to the 3x Asterisk and all other switch in our network? Thanks Gob!
I'm trying to add the rules right now and i'm a bit confused.
I'm currently in Firewall | Rules |Wan
Should I type in the Public IPs in the source field and the internal IP address at the destination field? Thanks!
if all you have on your lan are devices with public IPs then you could bridge yout lan. however if you also have regular computers that need NAT then it wont work. you'll need a separate interface from your lan.
i will have to check the rules on one of my pfsense boxes when i get to the office later.
for 1:1 NAT rules, the source on the wan tab is 'Any' if you want it open to the whole internet, whilst the destination is the internal IP.
if using the bridged interface option, the destination is the public IP on the asterisk.
okay Gob! Will try to do that and give you a feedback.
Where can I find the port that asterisk uses again? astGui.conf?
asterisk uses lots of ports depending on how it is confgured and what kind of trunks you are using.
I use the Trixbox distro of Asterisk so can't really comment on your setup.
That's one for the asterisk foorums I'm afraid.
We're using vicidial.
i'll try to check with their forum. Thanks man!