Route/NAT incoming to other firewall's public ip



  • In short: incoming traffic from internet on WAN is to be redirected to a server in another datacenter.
    The reason for this is that we are moving a bunch of webservers to a new datacenter. We want to test everything before changing the DNS records, for a very fast fallback possibility. We are not allowed to set TTL below 3600.

    Setup:
    Datacenter 1 (old): All equipment under our control
    pfSense 2.1
    5 public ip's on WAN - 4 virtual.
    Primary WAN ip: 66.1.2.3
    Virtual ip for webserver1 (ws1): 77.1.2.3 (this is the one we've tested with).
    Web-servers running business-critical applications on port 443, OPT interface private subnet.
    NAT rules to each webserver.

    Datacenter 2 (new): Only the servers are controlled by us, no access to firewall.
    Firewall Juniper or Fortinet.
    Web-servers running copy of our business-critical applications on port 443, private subnet.
    5 public ip's on WAN.
    NAT rules to each webserver.
    Public ip to webserver1-new (ws1-n): 88.1.2.3

    I tried adding a NAT rule on pfSense WAN with "Redirect target IP"  88.1.2.3.
    Now from a laptop I go to https://77.1.2.3
    It seems the traffic actually hit ws1-n, logs showed it received & replied.
    But nothing comes back to laptop.

    Am I doing this wrong? Or have I missed something? I'm thinking it's a NAT issue, but not sure.



  • Check the source. You probably have a routing issue resulting from not NAtting the original connection. Just a guess though. I would perhaps try a 1:1 NAT instead. Then again, I have never tried something like that with pfSense.


Log in to reply