NAT from Router ADSL to Local Network behind FW PfSense



  • Dear All,

    I'm newbie in network. Below is a small home network.

    Now I want to out side Internet can access Local Server such as (Remote Desktop, SMTP..) But i don;t know how to NAT or Route.

    Could you recommend what should I do.

    Thanks

    Henry



  • You would be better off if you put the ADSL router into bridge mode and let pfsense get the public IP on its WAN.

    The NAT setup will then be straight forward with plenty of examples in the available documentation.



  • But you can usually port forward on an ADSL front-end router in its "normal" mode, if that is easier for you in a small setup. I do it on various TP-Link models and find it is easier for small sites with no real IT knowledge - the ADSL router remains as part of the "real" internal network and can be pinged, web interface accessed internally etc for easy support.
    You can port forward whatever port numbers you need to your pfSense WAN. Then the incoming connects arrive on pfSense WAN, and you can make firewall rules to allow them and port forward them again to the appropriate internal servers…



  • Hi  phil.davis ,

    Thanks you for soon reply, I had completed and it worked.

    Step by step below:

    1. Create Virtual IP on pfsense
    2. NAT 1:1 Virtual IP to IP LAN
    3. Create Rule
    4. Port forwarding from Router ADSL to Virtual IP.

    That's all

    Thanks and regards

    Henry



  • "You would be better off if you put the ADSL router into bridge mode and let pfsense get the public IP on its WAN"

    Agreed - Providing you know what WAN, bridge, IP and NAT mean…



  • I one doesn't know what WAN, bridge, IP, and NAT mean, then they need to find out.



  • @phil.davis:

    the ADSL router remains as part of the "real" internal network and can be pinged, web interface accessed internally etc for easy support.

    Putting the ADSL router in bridged mode while connecting it to the LAN switch is a bad idea. If the ISP doesn't isolate each channel, everyone connected to the ISP node can access your entire LAN. Even in bridged mode, the modem should be on a different physical interface or in a VLAN. This way WAN would be PPPoE and the modem would be physically connected to OPT1 or a VLAN interface.

    To provide access to the modem, you can create a rule on LAN allowing * to OPT1. If RIP is enabled on the modem and pfSense, you will be able to access the modem's UI directly. Otherwise setup a static route on the modem to LAN or create an outbound NAT rule in pfSense on OPT1. Obviously LAN should use a different subnet from the modem.



  • They call this lots of things.
    I've seen it called "IP pass through, bridging public IP to LAN, "modem only", whatever.
    Point is what is best in all situations is to get the public IP directly to pfsense's WAN.
    If this is the case and nothing else on the network is plugged into that DSL modem/router the world isn't magically being to be able to get into this guy's network.  Not unless he does something really dumb.  This is what PF sense is.  A firewall.  If exposing its WAN port to the world were a security risk there would be no point in using pfsense.

    I see no security problems with what phil.davis proposed but I do see it as being a pain.  Plus double NAT just has a habit of breaking things, especially if those things require (or prefer) uPNP. Like skype,x-box, orb, steam.  Too many to name.



  • @kejianshi:

    If this is the case and nothing else on the network is plugged into that DSL modem/router the world isn't magically being to be able to get into this guy's network.  Not unless he does something really dumb.  This is what PF sense is.  A firewall.  If exposing its WAN port to the world were a security risk there would be no point in using pfsense.

    Huh? You just repeated what I said. You do realise that it's entirely possible to plug the modem into the LAN switch and still configure a WAN (PPPoe) on pfSense? It's secure only if you isolate the bridged mode modem by plugging into a physically separate port on the pfSense box or using a VLAN. This is the whole reason off-the-shelf routers have a dedicated WAN port. There is no need for a separate WAN port if you simply want it to act as a NAT gateway for PPPoE. Off-the-shelf routers can technically dial PPPoE even if the modem is on the LAN interface but they don't allow it. pfSense does allow you do bridge the modem on the LAN interface and still use the PPPoE connection as the WAN interface.