NAT, routing and nating HELP!



  • Hello guys,
                  I'm really new on this and I need you help. What I need to do is this

    Pfsense 1.2.3
    Subnet                                                             WAN               LAN
    171.11.10.0/25 –------ Firewall 1.1.1.1/28----- 1.1.1.2/28 firewall ---------192.168.1.0/24
                                                                                              |  OPT1
                                                                                               ---------192.168.2.0/24        
                                                                                              |  OPT2
                                                                                               ---------192.168.3.0/24
    I need to be accessible from subnet 171.11.10.0/25 all the 192.168.xxx.xxx  subnets without loose Firewalling.
    For testing I disable from pfsense Firewall and I can routefrom any network to the other, but I need to activate pfsense firewall again and restrict the access and only leave pass just a few hosts and protocols like for example:
    Allow MSRDP access from 171.11.10.10 to 192.168.1.101
    Block Any from 192.168.2.0/24 to 192.168.3.0/24

    Can you guide me or help me!!!
    I really appreciate yor time!
    Thanks!
              Pablo



  • You can't get 1:1 access from a /25 to a /23, by way of a /28 - that's like trying to fit a pint into a shot glass by way of a thimble.

    If you were to increase the /28 to a /25 and then reduce each /24 to a /27 you'd have enough IP addresses for a 1:1 mapping.  At that point I'd suggest you ask yourself why you're doing a 1:1 for each RFC-1918 address when it might be smarter to give each device a real IP.

    Also, I hope the 1.1.1.1/28 address is made up.



  • Hi Cry, thanks for the answer, may be I'm not explaining very well what I need to do, I modify the principal post.



  • So, you need:

    • Default block/deny rules on all interfaces

    • Forward 3389/TCP from the WAN interface of the external firewall to the WAN interface of the internal firewall (if it's doing NAT) and then from the WAN interface of the internal firewall to 192.168.1.101


Locked