1 to 1 NAT Setup and Hostnames



  • Currently we have 1 server behind a pfSense Firewall but we want to move all of the servers behind multiple firewalls.
    I am having some difficulty setting up 1:1 NAT, I am able to use port forwarding to access the 'test' web server but not by using NAT.

    Test Setup:
    WAN: 129.10.94.6/25
    Web server (when on the network) 129.10.94.6
    Firewall: 129.10.94.104

    LAN: 192.168.1.0/24
    Web Server: 192.168.1.101
    Firewall: 192.168.1.1
    (yes I know 192 and 129 are easy to mix up!)

    Our servers have static IP addresses, what would be the best way to advertise those addresses behind a pfSense firewall?
    Thanks



  • The reason you are most likely able to access via port forward behind the firewall is that you have NAT reflection turned on. If you have that disabled, you will only be able to access it from outside the network. I would use a split brain DNS or a separate DNS server that hands out internal addresses when you call them by DNS name. So, if you go to www.your1stdomain.com, it would resolve to 192.168.1.101 and not the external address of 129.10.94.6. 1 to 1 NAT would work well for outside access but not internal.



  • Thank you, although my company's policy does not allow for our department to have a dns server, I can at least spoof / change the mac address registered. As long as the server has multiple interfaces, we should be fine.

    Thanks!



  • You can use the DNS forwarder as a DNS server for only the system behind it and have it hand out local addresses for certain hosts. You can then have pfSense use your official company DNS servers to resolve everything else. Good luck though if you still cannot make use of that.



  • I am slightly confused. pfSense would hand out 192.168.. addresses and hostnames?

    I think it's forwarding all the dns requests to our server? How would I do this?

    Thanks



  • At the bottom of the DNS forwarder is a host and domain override that you can use to override those queries to certain host names or full domains.
    Yes, pfSense would override an internet routable IP with a private IP. Anything that is not in the host or domain overrides are passed through without modification.



  • I'm still confused, what I want to do is have a outside address (1:1 NAT) for one of the servers.
    Which might not be possible since we have MAC filtering? Is there anyway for the server's MAC address to go to the company's dns server?(DNS forwarding I'm not sure what to do, note: it's been enabled by default)

    Ideally I should be able to ping the router's public ip address and the server's public ip address.
    So I think that's what I want to do, yet so far I haven't been able to set up 1:1 NAT, only port forwarding.
    :-\



  • Are you trying to access the servers from a system in the LAN or from outside the WAN?



  • Outside the WAN (public IP addresses)



  • My apologies, I thought you were trying to access from within the network.
    In that case, when you remove the port forward, it probably removes the linked FW rule. For a 1:1 NAT, once you create the NAT, you have to go into the WAN rules and setup a rule to pass the traffic to the internal address. Do you have that rule created?



  • Actually I don't have the NAT rule set up.

    I have a few questions (see post above for IP addresses)

    The external subnet ID would be 129.10.94.0?
    Internal IP (web server's) would be 192.168.1.101?
    Destination would be any? Or would it be 129.10.94.6?

    Thanks!



  • This is the firewall rule on the WAN interface. If not mentioned … leave default.
    Source: Any
    Source port: Any
    Destination: 192.168.1.101
    Dest. Port: (80 .. 25 .. 443 ... and so on)

    On the 1:1 NAT
    external subnet ID would be 129.10.94.6
    Internal IP (web server's) would be 192.168.1.101 as a single host.

    Destination would be any? Or would it be 129.10.94.6?

    Leave this blank/default.



  • Even after resetting to factory default, I still can't make it work.

    I determined that my company's MAC address filtering is to blame, anyway we have found a way around this.

    Thanks!


Locked