Localhost Rewrite
-
Hello,
Hope this is the right place to ask…
I am looking to replace a commercial firewall with a pfsense box but there is one feature that the commercial firewall has that I'm unsure how to do in pfsense (or if it can do it!)
For a situation where the firewall has two network cards (an internal LAN and a WAN connection).
WAN: 10.1.1.1
LAN: 192.168.1.1Assuming on the LAN there is a webserver with IP address 192.168.1.2.
On the commercial firewall I create a rule that maps http from the external IP (10.1.1.1) onto the webserver on 192.168.1.2.
So far so good, and more than possible with pfsense.
Lets assume that an external user (IP 5.5.5.5) attempts to connect to 10.1.1.1 port 80 they receive the website on the webserver.
The webserver sees the logs as coming from 5.5.5.5 and all is well.
However on the commercial firewall there is an option during the rule creation that allows the external mapping connection to come from the firewall LAN address (192.168.1.1) so the weblogs show the page being view by 5.5.5.5 as actually coming from 192.168.1.1. This is called localhost NAT’ting or some such option on the commercial firewall. I believe this is because it uses advanced network proxies and looks a bit deeper into the packets (even if it is just passing them).
The advantage of this in complex networks is that the LAN webserver can have a different default gateway than that of 192.168.1.1 and it still works externally.
Is this possible in pfsense and how would I go about recreating it?
Many thanks for your patience in reading this far.:-)
-
That's just doing source NAT. Manual outbound NAT lets you configure it that way.
-
Hi,
Thanks for help.
I think this is a bit more than doing source NAT as this is not outbound traffic (it's traffic from outside that needs to have it's source address rewritten and the firewall aware enough to track the connections)
I think the commercial firewall is an application firewall (with proxies for connections) if this helps.
Many thanks for assistance.
-
It's just source NAT, you can source NAT into your LAN or any other network. If you actually have a need for a reverse proxy, there are several options in packages, but it sounds like source NAT would suffice.
-
Hi thanks for assistance I really appreciate it.
Can you advise what you mean by "just a source NAT"?
I have a rule under "Firewall: NAT: Port Forward" but can't see any options that would help.
Is this the wrong place for the rule and if so can you shed some light on the right place to configure?
Many thanks,
-
Source NAT is outbound NAT.
-
Ah right so you are saying remove the rule from "Firewall: NAT: Port Forward" and add it under "Firewall: NAT: Outbound" instead.
Even though that's outbound it is what I need for this inbound requirement?
Thanks
-
You need both. port forwards translate the destination IP and/or port, outbound NAT translates the source IP.
-
Hi,
Many thanks for all your assistance (and patience).
I now understand that I need both rules (port forward and also the outbound mapping).
I had a look on the options for the outbound rules and I am, in all honesty, a bit lost in what should be put in this to apply the simple rule as per the example above.
Trying not to be high maintanence, but genuinely lost on what config is required to do this with pfsense…