Noob Question: 1:1 versus Virtual IP



  • I have about six servers with public IP adderesses that I needed to put behind pfSense…  I got it setup and finally got it working, but I am not sure if I did it correctly.

    At first, I thought what I needed was 1:1 NAT, however when I added my public IP addresses in the NAT>1:1 and pointed the public IP's to the private NAT addresses, I was unable to contact my servers from the WAN side…

    Next, I added NAT>Port Forwarding to forward the appropriate ports to the correct NAT IP's, and added the corresponding Rules to allow the traffic to pass.  This allowed me to contact my servers through pfSense's WAN interface IP address, but not through the servers public IP addresses.

    Finally I added my public IP's as Virtual IP's (ProxyARP) and changed the NAT>Port Forwarding External Address to the correct public IP.  Now everything seems to be working correctly….

    So here are my questions:

    1: If the "trick" was to setup Virtual IP's and Port Forwarding, what does the 1:1 NAT do for me?  I assume that this may make outgoing traffic from my servers appear to be coming from the 1:1 public IP rather than from the IP of the WAN interface?

    2: In regard to Virtual IP's, what is the difference between ProxyARP and Other?

    Many Thanks in Advance!





  • Dude you're doing it all wrong, this exact same thing happened to me a few days ago coz of what I've read in the monowall documentation regarding 1:1 NAT, it's not complete. Although you can mix port forwarding rules with 1:1 NAT, it is not necessary as long as you have that many public ip's available.

    This is the procedure you should follow:

    1. Create the Virtual Ip's.
    2. Mapped the public ip's to the virtual ip's you've created in step 1.
    3. Finally create firewall rules allowing a particular service that your server will be providing, (let's say that is a  web server) create a firewall rule in your WAN interface allowing tcp port 80 from anywhere to the private ip address of the web server.

    e.g.

    TCP  *  *  192.168.1.2  80(HTTP)  *

    You also ought to read this thread about 1:1 NAT -> http://forum.pfsense.org/index.php/topic,6965.0.html

    HTH


Log in to reply