NAT to a device with gw pointing to a different FW
I am new to the forum. I went through the posted messages but couldn't find the answer to my problem:
We have a network behind a firewall. I try to setup pfSense as a second firewall. I have done the same thing with linux, and it works, but we want to have pfSense as standard in the company.
Internally, all devices have their default gateway pointing to the main firewall's LAN IP. From a second FW, I try to configure NAT to a PC (let's say MS-RDP=3389). Unless I change the default GW of the devices to the LAN interface of the second firewall, the NAT doesn't work. Changing the default GW or adding a secondary GW to all machines is (let's say) impractical. How can I do that?
In pfSense, I tried to add a virtual IP, and setup a NAT, and played unsuccessfully with Outbound NAT static options etc.
FYI, in linux iptables the following commands does the trick:
/sbin/ip addr del dev eth0 220.127.116.11
$IPTABLES -I PREROUTING -p tcp -t nat -d 18.104.22.168 –dport 3389 -j DNAT --to 172.16.8.171:3389
$IPTABLES -A POSTROUTING -p tcp -t nat -d 172.16.8.171 -j SNAT --to 172.16.8.2
$IPTABLES -I FORWARD -p tcp -i eth0 -d 172.16.8.171 -m state --state NEW -j ACCEPT
$IPTABLES -I FORWARD -p tcp -o eth1 -d 22.214.171.124 -m state --state NEW -j ACCEPT
/sbin/ip addr add dev eth0 126.96.36.199
where 172.16.8.2 is the LAN IP of the secondary firewall running this rule, and the primary firewall's LAN (as well as the default gateway for all internal devices) is 172.16.8.1
from outside I can use the RDP by typing 188.8.131.52
Thank you in advance..
On the second firewall, add an outbound NAT rule for LAN with the target of the port forward specified for the destination on the outbound NAT rule. This way it will see the second firewall's LAN IP as the source and reply to it directly instead of trying to reply through the default gateway.
Thank you for your response Efonne,
-On the Outbound NAT tab (Firewall:NAT:Outbound:Edit):
Translation Address=Interface Address
No XMLRPC Sync=Not Checked
(Is it suppose to be like this? The above conf didn't work.) deleted
Edited: After changing the rule to manual config mode and saving, it worked.
Thank you very much.