Transparent firewall and 1:1 NAT

  • I have a WAN port with public IP that is setup with a OPT1 interface in Bridge mode. The servers behind OPT1 have also public IPs

    From the LAN I am able to connect to the internet but the 1:1 NAT to a server from the LAN area is not working.

    The firewall rules, Virtual IP and 1:1 nat is setup OK.

    Is this setup possible do I need to do something special?


  • For me, I have to clone the MAC of the previous router that was there…
    If I was willing to wait a day or two, probably wouldn't need to but I got tired of waiting, so cloned the MAC.

    Strange.  You say your LAN Works but the servers on 1:1 don't work?

    So, you have multiple public IPs?

    Can you ping the IP that the servers should use from your LAN?

  • Yes from the lan I am able to go on internet, I am able to see the servers with public IP from the DMZ zone (the one behind the transparent firewall, bridge)

    I have 4 public IPs that go to 4 servers on the DMZ.
    I have one public IP  for the firewall interface
    I have 1 public IP setup as 1:1 NAT pointing to a private address in the LAN. This is the one that I am not able to see from outside(no ping nothing). It is strange.

  • "I have 1 public IP setup as 1:1 NAT pointing to a private address in the LAN"

    Did you set up manual outbound NAT for that /32 IP that has 1:1 NAT?

    Do you have a rule on the LAN Firewall allowing it to anywhere?

    If packet is being sent to your computer LAN IP via that public IP,  1:1 NAT will then direct packet to your computer sitting on the private IP.  Is it running a firewall there that is blocking things?  If its not, and the packet gets to the computer on the private LAN, what route will the acknowledgement to that packet go?  Out some default gateway that is different than the one it entered on?  If this happens, I think most computers will drop the reply to the ping because its not coming from the same IP to which it was sent.

    So, in theory, setting up Manual outbound NAT might cure this problem.  (seems to be a common occurrence). 
    Also be sure you are allowing ICMP on the IP/interface you are trying to ping in firewalls first.

  • Ok not sure what you are asking me but I took screen shoots  for the settings, it might help to understand what is the configuration that I have.

    ![Screen Shot 2013-08-08 at 22.58.22.png](/public/imported_attachments/1/Screen Shot 2013-08-08 at 22.58.22.png)
    ![Screen Shot 2013-08-08 at 22.58.22.png_thumb](/public/imported_attachments/1/Screen Shot 2013-08-08 at 22.58.22.png_thumb)
    ![Screen Shot 2013-08-08 at 22.58.43.png](/public/imported_attachments/1/Screen Shot 2013-08-08 at 22.58.43.png)
    ![Screen Shot 2013-08-08 at 22.58.43.png_thumb](/public/imported_attachments/1/Screen Shot 2013-08-08 at 22.58.43.png_thumb)
    ![Screen Shot 2013-08-08 at 22.58.51.png](/public/imported_attachments/1/Screen Shot 2013-08-08 at 22.58.51.png)
    ![Screen Shot 2013-08-08 at 22.58.51.png_thumb](/public/imported_attachments/1/Screen Shot 2013-08-08 at 22.58.51.png_thumb)
    ![Screen Shot 2013-08-08 at 22.58.57.png](/public/imported_attachments/1/Screen Shot 2013-08-08 at 22.58.57.png)
    ![Screen Shot 2013-08-08 at 22.58.57.png_thumb](/public/imported_attachments/1/Screen Shot 2013-08-08 at 22.58.57.png_thumb)
    ![Screen Shot 2013-08-08 at 22.59.29.png](/public/imported_attachments/1/Screen Shot 2013-08-08 at 22.59.29.png)
    ![Screen Shot 2013-08-08 at 22.59.29.png_thumb](/public/imported_attachments/1/Screen Shot 2013-08-08 at 22.59.29.png_thumb)

  • Your firewall rule on OPT1 is inverted it seems.
    To me it seems it will pass anything NOT headed to LAN.
    So, if thats the case, how could LAN be contacted through OPT1 if that is the only rule on OPT1?

    Wouldn't you need to pass to LAN?

  • Yes that rule on OPT1 is there to not allow traffic from DMZ (OPT1) to LAN. The OPT should be treated as internet being public. This should however not affect the incoming traffic coming from wan to lan. The VIP address and 1:1 NAT should go trough WAN. I have now also tried to remove that rule and allow any to any but no change there. All the rules for the transparent firewall are set on the wan interface.

    I am not sure where to look inside pfsense logs to see what happens with the incoming packets that should be 1:1 Nated.

  • Do you have a special need for transparent firewall?  Is there a problem with using 1:1 NAT there?
    I don't think you can use "1:1: and "transparent" in the same sentence.

    I'm pretty sure its either transparent or 1:1 but not both.

    How about this.  Can you show me anywhere where you have arranged for anything coming in from the WAN to be sent directly to LAN?

    Why don't you just go to Firewall > NAT > WAN interface and make a NAT rule to send whatever port you want forwarded from WAN to LAN?

    If it just gets too much, let me know.  I could connect your pfsense and just set the rule.  Showing is easier than telling sometimes.

  • I got it now was a routing problem from my datacenter on that specific IP using an other one it works fine. There is no problem to have 1:1 NAT between WAN and LAN and transparent firewall between Wan and OPT1. Now everything works I need to figure out with the datacenter where the problem is with that specific IP.

    Thanks a lot for helping here.

  • I knew if we talked it long enough you would solve it yourself and it would be nothing I thought maybe it could be :P

    Good deal - Glad its working.

  • Yes I was getting mad because all the guides did not specified if I can have 1:1 NAT and transparent firewall on the same machine or I need to have 2 servers. If somebody is looking for this information I can confirm that it works. I understand that in some cases using a transparent firewall can create some problems and you loose pfsense CARP redundancy but if you don't need it the transparent firewall is a nice solution.

Log in to reply