WAN Access to OPT1



  • They say a picture is worth a 1000 words, I just hope my picture isn't too complex. In words, this is what I need help with:

    I currently have a "toy" wireless router, bought from NewEgg, that is configured with a DMZ that forwards all traffic to an internal 192.168.X.X IP address.  The problem is I have outgrown this router and need something with a little bit of horse power, ie pfSense.  My ISP has given me a range of IP addresses, 123123.123.123 /29, and is routing them to me.

    I have the psSense router setup in a sandbox so that I can test everything before going live with it.  Everything shown in my drawing is working except the red line.  I can get to the internet from OPT1 and the LAN.  OPT1 is blocked from the LAN interface, but the LAN can get to OPT1.  This is all good and working.

    The problem I have is testing the WAN to OPT1 route.  The users get grumpy really quickly if they can't get to their server.  (basically I can't test in production  ::) ) The "toy" router is providing the DHCP for the pfSense WAN. It doesn't have the ability to route, so I'm struggling to simulate the internet side in my sandbox.  Pings from the internet side of my sandbox time out because the toy router doesn't know anything about the 123.123.123.123 /29 range.

    I'm new to firewall rules, so what I need help with are the rules that will allow full access from the WAN to OPT1.

    TIA






  • @jsigned:

    I'm new to firewall rules, so what I need help with are the rules that will allow full access from the WAN to OPT1.

    Do you really want full access from WAN to OPT1? I'd just set up the minimum required Port Forwards from WAN towards the servers behind OPT1.

    Do your users also work on the weekend? If you cannot negotiate a scheduled downtime for tests, you're SOL, as your "toy router" doesn't allow routing of the 123.123.123.123 range. As an alternative, you might set up Port Forwards with alternate ports on the "toy router" which then get forwarded to the correct ports on the pfSense box. Obviously, you'll have ot use old IP address; 123.123.123.123 still won't work, but you can test if Port Forwarding works as expected on both the "toy" and pfSense…



  • The server in question is a somewhat popular web site, so there isn't really anytime it can be down without someone noticing.  Its a good problem to have.  I've decided to go down a different path with 1 to 1 NAT.  Thanks for your reply though.


Log in to reply