Multi-IP / NAT problems
-
Hi,
I'm struggling to get NAT working with multiple IPs coming in on a single WAN port, and multiple LANs that need detailed port forwards. I could really use some help.
Can anyone spot what I'm doing wrong here?
First, we have 6 IP addresses coming in from the ISP, of which x.x.109.73 is supposed to be the main PF Sense address:
Virtual IPs are set up for the other addresses:
A Voip LAN is the LAN of interest. It's at 192.168.1.x, not preferred, but I have to duplicate an existing topology. This is technically OPT1.
The Voip LAN is supposed to largely map to x.x.109.74 (the first virtual IP), but 1:1 NAT isn't good enough because the port forwarding consists of 4 devices, including an Asterisk system. You can see that I'm mapping various port ranges to 192.168.1.90, which is the Asterisk server. This is to duplicate the router we're removing. I don't know what all of it is.
The corresponding firewall rules are here:
And there's a Voip LAN rule to allow internet:
This does give me internet access, but the Asterisk server isn't able to connect to the trunk provider. When I do 1:1 NAT to the PBX, then it works, but I can't do 1:1, I need to map to 4 different devices on that LAN.
So I've switched to Manual Outbound NAT. If you look at 192.168.1.0/24, it's right now set for "WAN address", and as expected, IP detection websites report it as x.x.109.73, the main IP set up in WAN config.
However, when I change that to be the Virtual IP address of x.x.109.74, it doesn't work.
What am I not understanding correctly? Isn't the Outbound NAT supposed to simply set the NAT return address for traffic originating from the Voip LAN so that the response comes back into the Voip LAN?
Why can't I even get on the internet from the Voip LAN with x.x.109.74 as the NAT address?
I could really, really use some help, I've spent nearly two days trying every conceivable combination of settings.
Thanks a million!
Per
-
Hi,
After struggling with this for a while, we finally have a solution. All the settings above are correct. It was the Comcast router that needed reboots whenever we rebooted PF Sense, presumably because Comcast otherwise had decided a long time ago that the PF Sense box wasn't routable for the additional WAN IP addresses and had simply stopped trying.
After rebooting the Comcast router and PF Sense immediately after, we could now ping the Virtual IP addresses (because we allowed ping in the firewall), and we could do both 1:1 NAT, as well as port forwarding.
The Manual Outbound NAT is important, because you have to set the Virtual IPs as the WAN address. This way, when you do a "what is my IP" search on Google from behind the second LAN, Google responds with the second (virtual IP) address.
So we're good to go.
Per