NAT traffic behind 3rd Party DMZ VIP
-
I want to NAT all traffic that goes out my 3rd Party DMZ interface to the VIP address of my 3rd Party DMZ interface which is 192.168.64.1. In other words, if a user behind my LAN interface with source address of 170.198.10.20 needs to access a service on my 3rd Party DMZ, his source address of 170.198.10.20 will get translated to 192.168.64.1. I did the following:
Firewall:NAT:outbound
chose: manual outbound NAT generation rule
interface: 3rd Party DMZ
Source: Network 170.198.10.0/25 (my LAN network)
Destination: any
Translation: SHOULD I CHOOSE "INTERFACE ADDRESS" does that refer to the VIP of my 3rd party DMZ ? -
Hello,
@vlw:
I want to NAT all traffic that goes out my 3rd Party DMZ interface to the VIP address of my 3rd Party DMZ interface which is 192.168.64.1. In other words, if a user behind my LAN interface with source address of 170.198.10.20 needs to access a service on my 3rd Party DMZ, his source address of 170.198.10.20 will get translated to 192.168.64.1. I did the following:
Firewall:NAT:outbound
chose: manual outbound NAT generation rule
interface: 3rd Party DMZ
Source: Network 170.198.10.0/25 (my LAN network)
Destination: any
Translation: SHOULD I CHOOSE "INTERFACE ADDRESS" does that refer to the VIP of my 3rd party DMZ ?In theory there is no need to nat, since 170.198.10.0/25 is public, global unique range. However (if you want to - for what reason ever) - if you're up to natting all traffic to a specific VIP and not the the interface address (for what reason ever), you should translate to the vip address.
(btw. reboot the system, if no nat happens )Btw. It's somewhat peculiar, that your lan has a public adress range, while your dmz has not… ;)
Keep smiling
yanosz -
I want to use the VIP address b/c i have two pfsense firewalls.
My VIP is 192.168.64.1 w/192.168.64.2 and .3 as the interface addresses.
All these ip's are pingable. Another engineer created the VIP but when I look at the VIP page I do not see the 192.168.64.1. How do I verify this VIP was created correctly. Also, which interface do I put the rule on to allow the traffic from my LAN 170.198.10.0/25 to reach vendor address 167.x.x.x. Session is initiated from my LAN. Does it go on LAN interface or DMZ interface and how is it written, ie source/destination. Thanks. -
Hello,
@vlw:
I want to use the VIP address b/c i have two pfsense firewalls.
My VIP is 192.168.64.1 w/192.168.64.2 and .3 as the interface addresses.
All these ip's are pingable. Another engineer created the VIP but when I look at the VIP page I do not see the 192.168.64.1. How do I verify this VIP was created correctly.The rabbit hole is deeper, than expected ;-)
Have you read (and understood ;D) http://doc.pfsense.org/index.php/Configuring_pfSense_Hardware_Redundancy_%28CARP%29 ?@vlw:
Also, which interface do I put the rule on to allow the traffic from my LAN 170.198.10.0/25 to reach vendor address 167.x.x.x. Session is initiated from my LAN. Does it go on LAN interface or DMZ interface and how is it written, ie source/destination.
Firewall rules on the incoming, outbound-nat-rules on the outgoing interface.
Keep smiling
yanosz