Non NAT setup



  • Hi,

    Apologies if this question has been asked before, I couldn't find it when searching.

    Would it be possible to run PFS in a "non NAT" mode? Since I have enough "net aware" IPs from my provider, there's no real need for private LAN IPs and I was hoping I could keep the machines behind the firewall with their Internet IPs (212.x.x.x, etc) rather than going to 192.168.0.x.

    Is this possible in PFS and if so could anyone just point me to the right settings subsection.

    Any help would be appreciated.

    Cheers,

    B.



  • I can see at least 2 solutions:



  • Thanks for that, I'll give the transparent firewall a go and if not I'll try 1:1 NAT.

    Cheers,

    B.



  • Add a DMZ interface, add your public iprange to this.
    Use lan interface as management interface only.

    Or enable advanced outbound nat and just remove the nat rule there.
    Then add filter rules as needed. As lanip set the public ip-range.



  • @lsf:

    Add a DMZ interface, add your public iprange to this.
    Use lan interface as management interface only.

    I thought the DMZ is the area of the LAN where you trust things - so for machines you control rather than other users on the network? So no firewall rules will apply to these machines?

    Anyway no problem I'll try what suggested tomorrow and get back to you with my results.

    Cheers,

    B.



  • DMZ/OPT it all depends on what you call it. Normally a DMZ is where you allow connections for the outside (like web/mail-servers etc).
    In general this is no different then any other zone. The normal firewall setup is to have a lan zone where no connections can be init. from the outside, but in your dmz you allow connections to be init. from the outside.
    Basically LAN is the safe haven, the DMZ is a semi strict zone.

    If you want both a DMZ and LAN with public ip's you can do that too, just remeber to remove the NAT rule.



  • Thanks for the explanation that clears it up in my mind. It just seems every tutorial I read uses slightly different terms to mean the same thing so it's somewhat confusing for a newbie like me.

    Cheers for your help,

    B.



  • Please bump the green button if your topic is solved  ;D



  • @hoba:

    Please bump the green button if your topic is solved  ;D

    Sorry, haven't had a chance to try this out yet - too many other work related stuff. I'll let you guys know if it all works nicely.

    Cheers,

    Lawrence



  • Everyone seems to have missed the, use advanced outbound nat and delete the auto-generated rules option.  If you truly don't want to NAT, that's how you do it.  You will of course need to route the traffic then…but I assume you knew that and can figure that part out.

    --Bill




Locked