NAT 1:1 of Port forward?

  • I am running PFsense 2.0 and have a SMTP gateway that is in my DMZ and need to nat or port forward smtp to it.

    My firewall uses a simple config: 4 interfaces… WAN, DMZ, LAN and Management. I'd like to have all traffic destined for a specific external IP address NAT'd to an internal IP on my DMZ. I've tried configuring both NAT and Port forwarding w/o success. Which is recommended? Which is easier? Where can I find good instructions for the 2.0 pfsense nat/port forwarding functionality?

    My SMTP server uses a routable IP that is different than the IP used by the firewall/gateway (but part of the same /29) , mail needs to be NAT'd from the routable IP (mx entry points to this IP) to the DMZ SMTP server IP (non routable IP) for spam check/content filtering and then forwarded to my mailserver on my LAN (different non routable IP). Each segment of the network is on a separate cisco switch (no vlans/routing/etc on the switches.. just simple config).

    My ISP's router is connected to the PFsense firewall WAN interface. The LAN and DMZ interfaces connect to Cisco switches. The LAN/WAN and DMZ can all access the web. I can send traffic between segments (if I have the correct firewall rule in place). I can send email from the DMZ (SMTP) system.. I just cannot get NAT to work properly. I followed the guide in the FAQ area to the "t" and am not sure what I'm missing. If I have my firewalls IP (the FW is also my gateway), the routable smtp (mx) IP, the non-routable DMZ smtp server IP and my ISP router IP... how should I setup the NAT or port forwarding rule? Do I need a virtual interface, firewall rule and the 1:1 nat rule? How's it all work?

    Any assistance is appreciated! Thanks!

  • It sounds like you'll need a couple of different things, for different purposes. When you're trying to expose a service to the web, such as a web server, then all you typically need is to create a NAT entry. Specify the IP on the WAN interface that will be used, and the internal IP hosting the web server, etc. The NAT rule creation will also create the necessary firewall rule, it's quite handy that way.

    Under normal circumstances, all computers behind your pfsense firewall will present themselves to the web-at-large as the IP address of your WAN interface. This can be changed, by going to the Advanced Outbound NAT tab. Here you can set up specific rules, so that specific hosts (or groups of hosts) present themselves using a different IP address (which would need to be bound to your WAN interface. See Virtual IPs, on the Firewall menu).

    1:1 NAT is essentially a combination of these 2 methods. It lets you (in 1 action) create a rule that maps an internal host with an external IP, inbound and outbound. When creating a 1:1 NAT rule, you will need to create a firewall rule to allow the desired traffic. 1:1 rules are what you need when you want to set up a Ping test to an internal switch, for example… or often in the case of mail servers, where you've been given a specific IP for your mail server to use.

    Give that a try, and let us know if you still need guidance. There's a wealth of documentation on the site.

  • Awesome! Will do. I'll keep you posted (later today). Thanks!

  • Nice! It worked. The GUI for creating the 1:1 NAT was not as clear (at least for me) as it could have been.. I had trouble figuring out what the different fields were. If there is a document that clearly defines these fields for PFsense 2.0, that would be great. Thanks much for the assistance!!

  • Oh, and the creation of the rule to allow/pass traffic from the WAN to the DMZ was tricky (not sure I did it the best way possible). At least it works now!

  • Glad to hear it! Feel free to contribute to the Documentation yourself now that you've figured a few things out :)

Log in to reply