NAT traffic behind 3rd Party DMZ VIP

vlw

I want to NAT all traffic that goes out my 3rd Party DMZ interface to the VIP address of my 3rd Party DMZ interface which is 192.168.64.1.  In other words, if a user behind my LAN interface with source address of 170.198.10.20 needs to access a service on my 3rd Party DMZ, his source address of 170.198.10.20 will get translated to 192.168.64.1. I did the following:
Firewall:NAT:outbound
chose: manual outbound NAT generation rule
interface: 3rd Party DMZ
Source: Network 170.198.10.0/25 (my LAN network)
Destination: any
Translation: SHOULD I CHOOSE "INTERFACE ADDRESS" does that refer to the VIP of my 3rd party DMZ ?

yanosz

Hello,

@vlw:

I want to NAT all traffic that goes out my 3rd Party DMZ interface to the VIP address of my 3rd Party DMZ interface which is 192.168.64.1.  In other words, if a user behind my LAN interface with source address of 170.198.10.20 needs to access a service on my 3rd Party DMZ, his source address of 170.198.10.20 will get translated to 192.168.64.1. I did the following:
Firewall:NAT:outbound
chose: manual outbound NAT generation rule
interface: 3rd Party DMZ
Source: Network 170.198.10.0/25 (my LAN network)
Destination: any
Translation: SHOULD I CHOOSE "INTERFACE ADDRESS" does that refer to the VIP of my 3rd party DMZ ?

In theory there is no need to nat, since 170.198.10.0/25 is public, global unique range. However (if you want to - for what reason ever) - if you're up to natting all traffic to a specific VIP and not the the interface address (for what reason ever), you should translate to the vip address.
(btw. reboot the system, if no nat happens )

Btw. It's somewhat peculiar, that your lan has a public adress range, while your dmz has not… ;)

Keep smiling
yanosz

vlw

I want to use the VIP address b/c i have two pfsense firewalls.
My VIP is 192.168.64.1 w/192.168.64.2 and .3 as the interface addresses.
All these ip's are pingable. Another engineer created the VIP but when I look at the VIP page I do not see the 192.168.64.1.  How do I verify this VIP was created correctly.  Also, which interface do I put the rule on to allow the traffic from my LAN 170.198.10.0/25 to reach vendor address 167.x.x.x.  Session is initiated from my LAN.  Does it go on LAN interface or DMZ interface and how is it written, ie source/destination. Thanks.

yanosz

Hello,

@vlw:

I want to use the VIP address b/c i have two pfsense firewalls.
My VIP is 192.168.64.1 w/192.168.64.2 and .3 as the interface addresses.
All these ip's are pingable. Another engineer created the VIP but when I look at the VIP page I do not see the 192.168.64.1.  How do I verify this VIP was created correctly.

The rabbit hole is deeper, than expected ;-)
Have you read (and understood  ;D) http://doc.pfsense.org/index.php/Configuring_pfSense_Hardware_Redundancy_%28CARP%29 ?

@vlw:

Also, which interface do I put the rule on to allow the traffic from my LAN 170.198.10.0/25 to reach vendor address 167.x.x.x.  Session is initiated from my LAN.  Does it go on LAN interface or DMZ interface and how is it written, ie source/destination.

Firewall rules on the incoming, outbound-nat-rules on the outgoing interface.

Keep smiling
yanosz