Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    NAT to a device with gw pointing to a different FW

    NAT
    2
    3
    1389
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      sbkom last edited by

      Hi,

      I am new to the forum. I went through the posted messages but couldn't find the answer to my problem:

      We have a network behind a firewall. I try to setup pfSense as a second firewall. I have done the same thing with linux, and it works, but we want to have pfSense as standard in the company.

      Internally, all devices have their default gateway pointing to the main firewall's LAN IP. From a second FW, I try to configure NAT to a PC (let's say MS-RDP=3389). Unless I change the default GW of the devices to the LAN interface of the second firewall, the NAT doesn't work. Changing the default GW or adding a secondary GW to all machines is (let's say) impractical. How can I do that?

      In pfSense, I tried to add a virtual IP, and setup a NAT, and played unsuccessfully with Outbound NAT static options etc.

      FYI, in linux iptables the following commands does the trick:

      /sbin/ip addr del dev eth0 100.11.22.33
      $IPTABLES -I PREROUTING -p tcp -t nat -d 100.11.22.33 –dport 3389 -j DNAT --to 172.16.8.171:3389
      $IPTABLES -A POSTROUTING -p tcp -t nat -d 172.16.8.171 -j SNAT --to 172.16.8.2
      $IPTABLES -I FORWARD -p tcp -i eth0 -d 172.16.8.171 -m state --state NEW -j ACCEPT
      $IPTABLES -I FORWARD -p tcp -o eth1 -d 100.11.22.33 -m state --state NEW -j ACCEPT
      /sbin/ip addr add dev eth0 100.11.22.33

      where 172.16.8.2 is the LAN IP of the secondary firewall running this rule, and the primary firewall's LAN (as well as the default gateway for all internal devices) is 172.16.8.1

      from outside I can use the RDP by typing 100.11.22.33

      Thank you in advance..

      sbkom

      1 Reply Last reply Reply Quote 0
      • E
        Efonnes last edited by

        On the second firewall, add an outbound NAT rule for LAN with the target of the port forward specified for the destination on the outbound NAT rule.  This way it will see the second firewall's LAN IP as the source and reply to it directly instead of trying to reply through the default gateway.

        1 Reply Last reply Reply Quote 0
        • S
          sbkom last edited by

          Thank you for your response Efonne,

          To clarify:

          -On the Outbound NAT tab (Firewall:NAT:Outbound:Edit):
          Interface=LAN
          Protocol=any
          Source type=Any
          Source port=Any
          Destination type=Network
          Destination Address=172.16.8.171/32
          Destination Port=Any
          Translation Address=Interface Address
          Port=Any
          Static-port=Not checked
          No XMLRPC Sync=Not Checked

          (Is it suppose to be like this? The above conf didn't work.) deleted

          Edited: After changing the rule to manual config mode and saving, it worked.

          Thank you very much.

          SbKom

          1 Reply Last reply Reply Quote 0
          • First post
            Last post