4. NAT traffic behind 3rd Party DMZ VIP

NAT traffic behind 3rd Party DMZ VIP

  • V

    I want to NAT all traffic that goes out my 3rd Party DMZ interface to the VIP address of my 3rd Party DMZ interface which is 192.168.64.1.  In other words, if a user behind my LAN interface with source address of 170.198.10.20 needs to access a service on my 3rd Party DMZ, his source address of 170.198.10.20 will get translated to 192.168.64.1. I did the following:
    Firewall:NAT:outbound
    chose: manual outbound NAT generation rule
    interface: 3rd Party DMZ
    Source: Network 170.198.10.0/25 (my LAN network)
    Destination: any
    Translation: SHOULD I CHOOSE "INTERFACE ADDRESS" does that refer to the VIP of my 3rd party DMZ ?

    0
  • Y

    Hello,

    @vlw:

    I want to NAT all traffic that goes out my 3rd Party DMZ interface to the VIP address of my 3rd Party DMZ interface which is 192.168.64.1.  In other words, if a user behind my LAN interface with source address of 170.198.10.20 needs to access a service on my 3rd Party DMZ, his source address of 170.198.10.20 will get translated to 192.168.64.1. I did the following:
    Firewall:NAT:outbound
    chose: manual outbound NAT generation rule
    interface: 3rd Party DMZ
    Source: Network 170.198.10.0/25 (my LAN network)
    Destination: any
    Translation: SHOULD I CHOOSE "INTERFACE ADDRESS" does that refer to the VIP of my 3rd party DMZ ?

    In theory there is no need to nat, since 170.198.10.0/25 is public, global unique range. However (if you want to - for what reason ever) - if you're up to natting all traffic to a specific VIP and not the the interface address (for what reason ever), you should translate to the vip address.
    (btw. reboot the system, if no nat happens )

    Btw. It's somewhat peculiar, that your lan has a public adress range, while your dmz has not… ;)

    Keep smiling
    yanosz

    0
  • V

    I want to use the VIP address b/c i have two pfsense firewalls.
    My VIP is 192.168.64.1 w/192.168.64.2 and .3 as the interface addresses.
    All these ip's are pingable. Another engineer created the VIP but when I look at the VIP page I do not see the 192.168.64.1.  How do I verify this VIP was created correctly.  Also, which interface do I put the rule on to allow the traffic from my LAN 170.198.10.0/25 to reach vendor address 167.x.x.x.  Session is initiated from my LAN.  Does it go on LAN interface or DMZ interface and how is it written, ie source/destination. Thanks.

    0
  • Y

    Hello,

    @vlw:

    I want to use the VIP address b/c i have two pfsense firewalls.
    My VIP is 192.168.64.1 w/192.168.64.2 and .3 as the interface addresses.
    All these ip's are pingable. Another engineer created the VIP but when I look at the VIP page I do not see the 192.168.64.1.  How do I verify this VIP was created correctly.

    The rabbit hole is deeper, than expected ;-)
    Have you read (and understood  ;D) http://doc.pfsense.org/index.php/Configuring_pfSense_Hardware_Redundancy_(CARP) ?

    @vlw:

    Also, which interface do I put the rule on to allow the traffic from my LAN 170.198.10.0/25 to reach vendor address 167.x.x.x.  Session is initiated from my LAN.  Does it go on LAN interface or DMZ interface and how is it written, ie source/destination.

    Firewall rules on the incoming, outbound-nat-rules on the outgoing interface.

    Keep smiling
    yanosz

    0
Log in to reply
 

Products

Services

Support

News

Resources

Company

Our Mission

We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2019 Rubicon Communications, LLC | Privacy Policy