NAT traffic behind 3rd Party DMZ VIP



  • I want to NAT all traffic that goes out my 3rd Party DMZ interface to the VIP address of my 3rd Party DMZ interface which is 192.168.64.1.  In other words, if a user behind my LAN interface with source address of 170.198.10.20 needs to access a service on my 3rd Party DMZ, his source address of 170.198.10.20 will get translated to 192.168.64.1. I did the following:
    Firewall:NAT:outbound
    chose: manual outbound NAT generation rule
    interface: 3rd Party DMZ
    Source: Network 170.198.10.0/25 (my LAN network)
    Destination: any
    Translation: SHOULD I CHOOSE "INTERFACE ADDRESS" does that refer to the VIP of my 3rd party DMZ ?



  • Hello,

    @vlw:

    I want to NAT all traffic that goes out my 3rd Party DMZ interface to the VIP address of my 3rd Party DMZ interface which is 192.168.64.1.  In other words, if a user behind my LAN interface with source address of 170.198.10.20 needs to access a service on my 3rd Party DMZ, his source address of 170.198.10.20 will get translated to 192.168.64.1. I did the following:
    Firewall:NAT:outbound
    chose: manual outbound NAT generation rule
    interface: 3rd Party DMZ
    Source: Network 170.198.10.0/25 (my LAN network)
    Destination: any
    Translation: SHOULD I CHOOSE "INTERFACE ADDRESS" does that refer to the VIP of my 3rd party DMZ ?

    In theory there is no need to nat, since 170.198.10.0/25 is public, global unique range. However (if you want to - for what reason ever) - if you're up to natting all traffic to a specific VIP and not the the interface address (for what reason ever), you should translate to the vip address.
    (btw. reboot the system, if no nat happens )

    Btw. It's somewhat peculiar, that your lan has a public adress range, while your dmz has not… ;)

    Keep smiling
    yanosz



  • I want to use the VIP address b/c i have two pfsense firewalls.
    My VIP is 192.168.64.1 w/192.168.64.2 and .3 as the interface addresses.
    All these ip's are pingable. Another engineer created the VIP but when I look at the VIP page I do not see the 192.168.64.1.  How do I verify this VIP was created correctly.  Also, which interface do I put the rule on to allow the traffic from my LAN 170.198.10.0/25 to reach vendor address 167.x.x.x.  Session is initiated from my LAN.  Does it go on LAN interface or DMZ interface and how is it written, ie source/destination. Thanks.



  • Hello,

    @vlw:

    I want to use the VIP address b/c i have two pfsense firewalls.
    My VIP is 192.168.64.1 w/192.168.64.2 and .3 as the interface addresses.
    All these ip's are pingable. Another engineer created the VIP but when I look at the VIP page I do not see the 192.168.64.1.  How do I verify this VIP was created correctly.

    The rabbit hole is deeper, than expected ;-)
    Have you read (and understood  ;D) http://doc.pfsense.org/index.php/Configuring_pfSense_Hardware_Redundancy_(CARP) ?

    @vlw:

    Also, which interface do I put the rule on to allow the traffic from my LAN 170.198.10.0/25 to reach vendor address 167.x.x.x.  Session is initiated from my LAN.  Does it go on LAN interface or DMZ interface and how is it written, ie source/destination.

    Firewall rules on the incoming, outbound-nat-rules on the outgoing interface.

    Keep smiling
    yanosz


Log in to reply