How to properly do a 1:1 - public to private?



  • WAN interface - 216.201.100.110
    Useable IP's for distribution 216.201.100.111-120 from ISP

    Internal - 192.168.200.0/24

    Server 1 - 192.168.200.19   service needed SMTP,HTTP,HTTPS, RDP
    Server 2 - 192.168.200.6    service needed FTP,RDP
    Server 3 - 192.168.200.11   service needed PPTP, RDP
    Server 4 - 192.168.200.8    service needed HTTP,HTTPS, RDP

    A  I created a 1:1 in NAT firewall

    216.201.100.111 –> 192.168.200.19
    216.201.100.112 --> 192.168.200.6
    216.201.100.113 --> 192.168.200.11
    216.201.100.114 --> 192.168.200.8

    B  then I created a FIREWALL rules from source ANY to each specific private/ports - for example:

    Server 1 Example of rules:
    INTERFACE:PORT–>DESTINATION:PORT
    ANY:HTTP-->192.168.200.19:HTTP
    ANY:HTTPS-->192.168.200.19:HTTPS
    ANY:SMTP-->192.168.200.19:SMTP
    ANY:RDP-->192.168.200.19:RDP

    Server 2 Example of rules:
    INTERFACE:PORT–>DESTINATION:PORT
    ANY:HTTP-->192.168.200.6:FTP
    ANY:RDP-->192.168.200.6:RDP

    Server 3 Example of rules:
    INTERFACE:PORT–>DESTINATION:PORT
    ANY:PPTP-->192.168.200.11:PPTP
    ANY:RDP-->192.168.200.11:RDP

    Server 4 Example of rules:
    INTERFACE:PORT–>DESTINATION:PORT
    ANY:HTTP-->192.168.200.8:HTTP
    ANY:HTTPS-->192.168.200.8:HTTPS
    ANY:RDP-->192.168.200.8:RDP

    (1)  So I manually create the NAT 1:1 then I create a rule for the specific port/service - is this proper order?

    (2)  Is this correct or is there a better way to do this?

    (3)  Is there any other items I need to do to make sure this works?

    NOTE:  I disabled DHCP, as we use AD 2003, and DNS on the pfsense uses OpenDNS IP addresses.



  • I'll skip the 'search before posting' bit for. But you're doing it wrong.
    Just to be clear, you would first go to firewall, virtual ip's, and add the public IPs.
    Then firewall, NAT, 1-1.
    Then firewall rules, wan.
    example for SMTP-
    TCP * * 192.168.200.19 25(SMTP) *
    Protocol is TCP, source ports are random, destination port is the port the service listens on. You do have the private ip as the destination, which is correct.



  • 1.  I tried the reading all the items on 1:1 for my scenario (m0n0wall samples, google, boards here), and really did not get far (sorry quite new to fw thinking) - I only chose pfsense due to its stellar reviews on the Net and 1:1 options

    2.  from the tasks that i performed, the only item I did not perform based on your feedback was not adding Virtual IPs - I need to understand that more…and more on rules (I thought my rules were far more defined - all or nothing thought).

    3.  when you use * in your sample, I suppose that means ANY; sorry newbie

    4.  you said - **TCP * * 192.168.200.19 25(SMTP) ***   - I interpret this as source ANY, source port ANY, destination to host 192.168.200.19, destination port from SMTP, destination port to as ANY - is this correct to what you are saying?

    I truly understand ports and what needs to go through, my problem is how to actually order it and details (the application setup) - such as reaons for Virtual IPs, etc…  If you look at what I did, it makes COMPLETE/LOGICAL sense to newbs - I need to learn illogical fws

    Is there a doc (I have been googling and perusing this board) that would better explain to me what I am trying to accomplish?

    BTW, I only have LAN and WAN interface - no DMZ -if it makes any difference

    Thanky you.



  • I'm using * for ANY because that's what you see when you view the rules page.
    A quick and dirty breakdown of the example rule:
    TCP * * 192.168.200.19 25(SMTP) *
    Pass TCP traffic from any host with any source port with the destination of 192.168.200.19 port 25
    gateway and schedule are left at defaults.
    Most services are pure TCP, so you would select TCP from protocol. http://en.wikipedia.org/wiki/Internet_protocol_suite
    The source should be left as ANY unless you want to restrict access to the service (eg- you might allow ssh only from the source IP of your home connection)
    There are few reasons to restrict the source port, so leave it at default…
    The destination is the private IP of the machine running the service.
    The destination port is the port the service is listening on
    http://en.wikipedia.org/wiki/TCP_and_UDP_port
    You can safely leave the rest of the settings at default.
    The tricky ones in your list are FTP, which is such a mess that it has it's own troubleshooting FAQ, and PPTP, which uses GRE in addition to the TCP port. Try using the redirection under VPN, PPTP, or look through the PPTP section of the forum.

    1-1's are more of a manual setup, port-forwards are bit more friendly to a new user, as they will auto-create the correct firewall rule for you by default.



  • thank you sir…your rule explanation makes the muky water clearer  :D

    as for the Virtual IP / Proxy ARP, I'm still looking into it, but from my brief understanding it means...
    if you are translating any ip addresses between two different subnets, then add it into Virtual IP / Proxy ARP section/part

    for example, outside address 1.1.1.1 to internal 192.168.1.1, i would create - HERE is the PROCESS in order (from my understanding)
    1.  CREATE Virtual IP for 1.1.1.1 - proxy arp (mapping from or source address)
    2.  CREATE 1:1 NAT under Firewall (map my external 1.1.1.1 to internal 192.168.1.1)
    3.  Lastly, create the rules for the specific services your server will use (SMTP, FTP, HTTP, etc)

    Thank you for your feedback and explanation...more reading/learning

    SAMPLE SMTP RULE:




  • The order is correct. Setting up a Virtual IP is basically telling the firewall to accept the traffic coming in on that IP. For example, if the firewall's WAN address was 1.1.1.6 and you had a server behind the firewall that you wanted to get traffic sent to 1.1.1.1, you would have to tell the firewall that it is also using that IP address. Otherwise, the traffic comes in from your ISP's router and the firewall ignores it.
    See
    http://en.wikipedia.org/wiki/Address_Resolution_Protocol
    and http://en.wikipedia.org/wiki/Proxy_ARP


Log in to reply