Mutiple Public IP NAT to multiple webservers



  • Hi,

    After hitting a lot of issues outbound PPTP with 2.0 Beta, we've rolled back to the following release:

    1.2.3-RELEASE
    built on Sun Dec 6 23:21:36 EST 2009

    however, we've hit the same issue that we upgraded to 2.0 to fix, namely we can't get to one of our internal webservers from the internet.

    We have 4 public IPs's - one is the default WAN connection, and the other 3 are set up as PARP VIP's.  We only run a LAN and OPT1 networks. The LAN has has 2 webservers, 1 is assigned the default WAN public IP and the other assigned one of the VIP's - NAT & firewall rules set up for both of them.  The OPT1 interface also has a webserver sat behind it, again with a VIP assigned and appropriate NAT & firewall rules set up.

    I can access all the webservers externally, except the one with a VIP that sits on the LAN.

    so for illustration purposes we have the following:

    Default WAN IP: 94.123.123.1
    PARP 1: 94.123.123.2
    PARP 2: 94.123.123.3
    PARP 3: 94.123.123.4

    webserver 1 on 192.168.25.16
    webserver 2 on 192.168.25.14
    webserver 3 on 192.168.20.251 (OPT1 interface)

    I have NAT rules allowing:

    443 to 192.168.25.16  (ext 94.123.123.1)
    80 to 192.168.25.14  (ext 94.123.123.2)
    80 to 192.168.20.251 (ext 94.123.123.3)

    and associated firewall rules allowing port 80 and 443 through to the appropriate boxes.

    I can access all the webservers apart from the second one on the lan - there's no errors in the firewall log, so is it a nat issue - is this a known bug ?

    all help very much appreciated…

    Thanks

    Jake



  • just as an update - I've found that if I do a NAT translation on my default wan address from port 8181 to port 80 and forward that as well to my problematic webserver, that everything works as it should.

    so I guess then pfsense has a limitation - if you are already forwarding traffic from one public IP to a network, you can't then forward traffic from a different public ip to the same network (in my case my LAN).

    Is this documented anywhere ?

    Thanks

    Jake


  • Rebel Alliance Developer Netgate

    That same setup has worked fine for others, can't say offhand why it might have been problematic for you there. Are you sure anything forwarded to that particular public IP worked, no matter what its destination?



  • Hi There

    I need to do the exact same thing!

    How did you get this working in pfsense 2.0 as i cannot for the life of me get it to work.

    My aim: To get my multi WAN IP's forwarding to various webservers listening on port 80.

    I have: default WAN IP 0.0.0.1

    Virtual WAN IPs (PARP) 0.0.0.2, 0.0.0.3, 0.0.0.4, 0.0.0.5, 0.0.0.6

    Do i need to add 1:1 Nat rules and then add manual firewall walls. I tried this and i seem to get NAT issues and it isnt natting to the right server, does someone have screenshots for this as i simply cannot get it working and would greatly appreciate some assistance on this.

    Even when i clear all of the rules and NAT's to start over my pfsense still forwards port 80 on one of the webservers even when its told specifically to look to another. No idea how even when all the rules are deleted.

    Help would be greatly appreciated.
    Also, i need it to NAT for outbound and inbound. Therefore the WAN IP must be for outbound and inbound on its static IP as i could get it to route vIP's inbound but not for outbound too. For this to work i had to configure it differently. Didnt even use 1:1 NAT for this.

    Thanks in advance all

    Regards

    Dan



  • Forgot to add:

    One physical WAN interface and 1 physical LAN interface. Can add more if this is required for it to work correctly.

    Dan



  • Hi All

    You'll be pleased to hear i got this working with my 8x static IP Addresses.

    Works a charm. . . Gotta love pfsense 2.0

    Regards

    Dan  ;D ;D :P



  • Ok if you get it to work please mention how



  • @dko:

    Ok if you get it to work please mention how

    Are you running pfsense 2.0 or 1.2.3 as I am running this on 2.0

    Daniel



  • I will post a guide on how i got this working for me


Log in to reply