Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    NAT traffic behind 3rd Party DMZ VIP

    NAT
    2
    4
    2544
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V
      vlw last edited by

      I want to NAT all traffic that goes out my 3rd Party DMZ interface to the VIP address of my 3rd Party DMZ interface which is 192.168.64.1.  In other words, if a user behind my LAN interface with source address of 170.198.10.20 needs to access a service on my 3rd Party DMZ, his source address of 170.198.10.20 will get translated to 192.168.64.1. I did the following:
      Firewall:NAT:outbound
      chose: manual outbound NAT generation rule
      interface: 3rd Party DMZ
      Source: Network 170.198.10.0/25 (my LAN network)
      Destination: any
      Translation: SHOULD I CHOOSE "INTERFACE ADDRESS" does that refer to the VIP of my 3rd party DMZ ?

      1 Reply Last reply Reply Quote 0
      • Y
        yanosz last edited by

        Hello,

        @vlw:

        I want to NAT all traffic that goes out my 3rd Party DMZ interface to the VIP address of my 3rd Party DMZ interface which is 192.168.64.1.  In other words, if a user behind my LAN interface with source address of 170.198.10.20 needs to access a service on my 3rd Party DMZ, his source address of 170.198.10.20 will get translated to 192.168.64.1. I did the following:
        Firewall:NAT:outbound
        chose: manual outbound NAT generation rule
        interface: 3rd Party DMZ
        Source: Network 170.198.10.0/25 (my LAN network)
        Destination: any
        Translation: SHOULD I CHOOSE "INTERFACE ADDRESS" does that refer to the VIP of my 3rd party DMZ ?

        In theory there is no need to nat, since 170.198.10.0/25 is public, global unique range. However (if you want to - for what reason ever) - if you're up to natting all traffic to a specific VIP and not the the interface address (for what reason ever), you should translate to the vip address.
        (btw. reboot the system, if no nat happens )

        Btw. It's somewhat peculiar, that your lan has a public adress range, while your dmz has not… ;)

        Keep smiling
        yanosz

        1 Reply Last reply Reply Quote 0
        • V
          vlw last edited by

          I want to use the VIP address b/c i have two pfsense firewalls.
          My VIP is 192.168.64.1 w/192.168.64.2 and .3 as the interface addresses.
          All these ip's are pingable. Another engineer created the VIP but when I look at the VIP page I do not see the 192.168.64.1.  How do I verify this VIP was created correctly.  Also, which interface do I put the rule on to allow the traffic from my LAN 170.198.10.0/25 to reach vendor address 167.x.x.x.  Session is initiated from my LAN.  Does it go on LAN interface or DMZ interface and how is it written, ie source/destination. Thanks.

          1 Reply Last reply Reply Quote 0
          • Y
            yanosz last edited by

            Hello,

            @vlw:

            I want to use the VIP address b/c i have two pfsense firewalls.
            My VIP is 192.168.64.1 w/192.168.64.2 and .3 as the interface addresses.
            All these ip's are pingable. Another engineer created the VIP but when I look at the VIP page I do not see the 192.168.64.1.  How do I verify this VIP was created correctly.

            The rabbit hole is deeper, than expected ;-)
            Have you read (and understood  ;D) http://doc.pfsense.org/index.php/Configuring_pfSense_Hardware_Redundancy_%28CARP%29 ?

            @vlw:

            Also, which interface do I put the rule on to allow the traffic from my LAN 170.198.10.0/25 to reach vendor address 167.x.x.x.  Session is initiated from my LAN.  Does it go on LAN interface or DMZ interface and how is it written, ie source/destination.

            Firewall rules on the incoming, outbound-nat-rules on the outgoing interface.

            Keep smiling
            yanosz

            1 Reply Last reply Reply Quote 0
            • First post
              Last post

            Products

            • Platform Overview
            • TNSR
            • pfSense
            • Appliances

            Services

            • Training
            • Professional Services

            Support

            • Subscription Plans
            • Contact Support
            • Product Lifecycle
            • Documentation

            News

            • Media Coverage
            • Press
            • Events

            Resources

            • Blog
            • FAQ
            • Find a Partner
            • Resource Library
            • Security Information

            Company

            • About Us
            • Careers
            • Partners
            • Contact Us
            • Legal
            Our Mission

            We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

            Subscribe to our Newsletter

            Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

            © 2021 Rubicon Communications, LLC | Privacy Policy