1:1 NAT + Alias
-
Hello,
I have an OpenBSD 4.0 server running PF. I have a web server on the internal LAN. To be able to pull http traffic from the outside, I set up an alias to a public IP on the "external" network interface. I then put a binat rule along with a filter pass through rule into pf.conf.
I'm trying to duplicate this with pfsense. So I created an alias of type host, with let's say a public IP of 144.155.166.177. I then create a 1:1 Nat rule on the WAN interface. For the external subnet, I make it the 144.155.166.177 aliased address and leave the mask at /32. I enter 10.1.1.10 for the internal subnet. Just to be sure it's not a rule blocking it, I created a rule on the WAN interface tab which basically lets anything go.
The problem is, I don't think the alias is being created correctly, or I screwed up the 1:1 nat. The text of subnet in the 1:1 Nat tab threw me for a loop. Why would I specify a subnet? Aren't I just mapping an internal address to and external address(aliased)?
-
You don't need an alias for this but a Virtual IP instead (Interfaces>Virtual IP). A VIP type proxyARP or CARP should do. The freebsd "Interface alias" is not supported in the 1.x branch of pfSense (but already present in HEAD).
-
Cheers.
Switching it to PARP doesn't seem to do the trick. Although, I could be tripped up on the rules. Do I need to make a rule under the LAN tab, or is a rule under the WAN tab adequate?
-
- Create VIP
- Add a 1:1 NAT to it
- create firewallrules at interfaces WAN for traffic to pass (usually from source any to destination internal IP of 1:1 target, protocol and port as desired)
If it doesn't work make sure some an old ARP cache of the router/device in front of you does not play tricks on you. Powercycle this device to make sure. If that doesn't help try a CARP VIP.
-
CARP seems to have done the trick. Cheers.
-
Spoke too soon. That got the IP to listen(I can ping it), but it seems like the NAT isn't working correctly. The NAT page doesn't make sense to me. Why am I putting in a subnet? Wouldn't I be putting in the external IP and the internal IP? Should I keep the netmask at /32 for single IP translations?
I can't add 144.155.166.177 with a /26 netmask. When I select /32, it forces the internal IP to be 10.1.1.60/32 when it's an 8 bit netmask(255.0.0.0).
EDIT: Never mind, dumb move on my part. The webserver I was trying to access didn't have apache running. It was unloaded. Moral of the story, make sure all your own stuff is working first!!
-
You don't need an alias for this but a Virtual IP instead (Interfaces>Virtual IP). A VIP type proxyARP or CARP should do. The freebsd "Interface alias" is not supported in the 1.x branch of pfSense (but already present in HEAD).
Untile next major release, please which is the best place to set wan interface alias?
I read several post in the forum and the best solutions seem to be http://forum.pfsense.org/index.php/topic,223.0.html
Do you agree? Have you some better solution to conseil?
Any conseil will be appreciated.
Davide.
-
If you want to have these changes backed up in your config run them by using hidden config.xml commands (see http://faq.pfsense.org/index.php?action=artikel&cat=10&id=38&artlang=en ).