Beginner - mapping web server public ip to internal private ip



  • Just got a pfsense router and got it set up so I can access the internet.

    I have a couple static public IP's from my cable company and I wanted to map an external IP to an internal IP of my web server.

    I wanted to ask if I was doing this correctly.

    I have been following the instructions in this you tube video:
    https://www.youtube.com/watch?v=zrBr0N0WrTY

    I realize my internal LAN ip addresses are not the usual non-routable 192.168.1.x format, but hopefully that doesn't mess up things (so far it hasn't with my current router).

    So far, when I go to my web servers public static ip when pfsense is running it doesn't bring up the web servers index.html page. Firefox just says "Unable to connect".

    Here is what my settings look like.

    Thanks



  • #1  Your LAN addressing is not (as you said) in the private address pool. You are using public IP's as LAN addresses and this is a no-no. There are various reasons why you don't want to do this.

    10.0.0.0/8

    172.16.0.0/12

    192.168.0.0/16

    If you have a phobia of looking like a home owner turned router admin then avoid the latter group.  go with 10.1.30.0/24 or something.

    #2  Your 1:1 and incoming rules looks fine.    Using VIP's then??



  • Thanks for the tip on the internal IP address.

    Yes, I'm using VIP here is a screenshot below.

    But I still can't surf to (from my LAN) to my external static public ip of 24.196.135.163 and get my web server. What setting/place should I check?

    Others on the internet can access my webserver, so it must have to do with NAT reflection I would think.

    Thanks!



  • Firewall: NAT: 1:1: Edit  At the bottom of the rule- NAT Reflection- Enable.

    Its how I have mine set and it works fine.



  • Thanks for the reply.

    Turns out the problem with 1:1 NAT not working was due to my Virtual IP address having a /27 subnet mask.

    I should have had a /32 subnet mask (for a single IP address) for the Virtual IP address.

    John



  • I don't think a NAT 1:1 solution is the best option here. This will NAT your Global IP to one of your internal. Thereby all of your internal ports will be exposed to the internet.
    So the firewall on your webserver also needs to be strong. But since this host may not only have port 80 open, it could be that port 22 or 3389 also is available to the public.

    I'm running PfSense for 5 months now and had some trouble regarding NAT in the beginning.
    If you are able, also install PfSense as a VM on your desktop/laptop. This way you can simulate connecting from WAN or LAN.

    Do port scans and test your security that way. If it works on your VM, you can use it on your "production system".

    Hope this helps..


Locked