Help with PPPOE / Multiple IPs / Firewall rules



  • Hi Everyone,

    I've recently move to PFSense 1.2RC3 from Smoothwall (PFSense looks to be a rather more sophisticated product!)

    I'm having problems setting up a box that has PPPOE with multiple IPs

    So far…

    The environment that I'm trying to set up is:
    The PPPOE link has a static IP address yyy.yyy.yyy.yyy - used only for accessing WAN
    I have a separate block of 4 IP addresses - xxx.xxx.xxx.120/30 that have been allocated to me by my ISP

    As a simple first step I'm trying to configure PFSense to forward xxx.xxx.xxx.122:80 to a webserver on my DMZ network - 192.168.100.122

    Having done a lot of searches on the PFSense boards + Google I have:

    • Firewall -> NAT -> 1:1 -> created 4 separate entries for xxx.xxx.xxx.120 - 123 (each /32) and each pointed at a specific IP on the DMZ (eg xxx.xxx.xxx.122/32 to 192.168.100.122)
    • Firewall -> Rules -> WAN -> created a rule Interface:WAN / Source:Any / Destination:Single Host or Alias - 192.168.100.122 / Destination Port:HTTP

    If I go into the System Log and look at the Firewall Log, I don't see any record of traffic being blocked to my webserver (so I believe that what I have done is right?), but I don't seem to be able to actually reach the webserver either (eg via browser - I know that the server is working ok - works if I use smoothwall)

    I suspect that I need to do more, but am not sure what - can someone give me a pointer please?

    Thanks!
    James.



  • I have a separate block of 4 IP addresses - xxx.xxx.xxx.120/30 that have been allocated to me by my ISP

    are they added as virtual ip's?



  • Thanks Perry!

    I have now:

    • Set up a proxy arp for each external IP address, mapping it to an internal IP address
    • Set up a port forward for individual Public IP/Port combinations to let traffic through to specific internal IP/Ports - eg:

    Interface: WAN
    External address: yyy.yyy.yyy.120
    External Port: 80
    NAT IP: 192.xxx.xxx.120 –> This is on my DMZ network

    This seems to work fine for external (Internet based) traffic trying to reach my websites, but does not work for internal (LAN) based traffic (using a fully qualified domain name)

    If I try to access 192.xxx.xxx.120 then this works ok, but I can't use this solution as I have multiple domains hosted on a single IP

    I've tried looking in the logs to see if there is a record of internal traffic being blocked when trying to access the DMZ but can't see anything.

    Can you give me some ideas on how to fix this?

    Thanks!

    James.



  • From http://forum.pfsense.org/index.php/topic,7001.0.html

    NAT-Reflection does not work with 1:1 NAT
    http://forum.pfsense.org/index.php?topic=7266.msg41244
    quote:
    You most likely need to setup split dns or add a port forward on top of the 1:1 nat to invoke reflection.  Reflection by default does not work with 1:1 nat's.    So your most likely resolving the public IP address which will not forward back across to the 1:1 server.



  • Thanks for the quick reply!

    I've now set up a set of rules along the lines of:

    Interface: LAN
    External Address: yyy.yyy.yyy.120
    External Port: 80
    NAT IP: 192.xxx.xxx.120

    This works just right!!!

    Thanks for your help!

    James.


Log in to reply