Help with PPPOE / Multiple IPs / Firewall rules

Spinmaster · Jan 16, 2008, 11:40 AM

Hi Everyone,

I've recently move to PFSense 1.2RC3 from Smoothwall (PFSense looks to be a rather more sophisticated product!)

I'm having problems setting up a box that has PPPOE with multiple IPs

So far…

The environment that I'm trying to set up is:
The PPPOE link has a static IP address yyy.yyy.yyy.yyy - used only for accessing WAN
I have a separate block of 4 IP addresses - xxx.xxx.xxx.120/30 that have been allocated to me by my ISP

As a simple first step I'm trying to configure PFSense to forward xxx.xxx.xxx.122:80 to a webserver on my DMZ network - 192.168.100.122

Having done a lot of searches on the PFSense boards + Google I have:

Firewall -> NAT -> 1:1 -> created 4 separate entries for xxx.xxx.xxx.120 - 123 (each /32) and each pointed at a specific IP on the DMZ (eg xxx.xxx.xxx.122/32 to 192.168.100.122)
Firewall -> Rules -> WAN -> created a rule Interface:WAN / Source:Any / Destination:Single Host or Alias - 192.168.100.122 / Destination Port:HTTP

If I go into the System Log and look at the Firewall Log, I don't see any record of traffic being blocked to my webserver (so I believe that what I have done is right?), but I don't seem to be able to actually reach the webserver either (eg via browser - I know that the server is working ok - works if I use smoothwall)

I suspect that I need to do more, but am not sure what - can someone give me a pointer please?

Thanks!
James.

Perry · Jan 16, 2008, 1:38 PM

I have a separate block of 4 IP addresses - xxx.xxx.xxx.120/30 that have been allocated to me by my ISP

are they added as virtual ip's?

Spinmaster · Jan 21, 2008, 11:03 AM

Thanks Perry!

I have now:

Set up a proxy arp for each external IP address, mapping it to an internal IP address
Set up a port forward for individual Public IP/Port combinations to let traffic through to specific internal IP/Ports - eg:

Interface: WAN
External address: yyy.yyy.yyy.120
External Port: 80
NAT IP: 192.xxx.xxx.120 –> This is on my DMZ network

This seems to work fine for external (Internet based) traffic trying to reach my websites, but does not work for internal (LAN) based traffic (using a fully qualified domain name)

If I try to access 192.xxx.xxx.120 then this works ok, but I can't use this solution as I have multiple domains hosted on a single IP

I've tried looking in the logs to see if there is a record of internal traffic being blocked when trying to access the DMZ but can't see anything.

Can you give me some ideas on how to fix this?

Thanks!

James.

Perry · Jan 21, 2008, 11:18 AM

From http://forum.pfsense.org/index.php/topic,7001.0.html

NAT-Reflection does not work with 1:1 NAT
http://forum.pfsense.org/index.php?topic=7266.msg41244
quote:
You most likely need to setup split dns or add a port forward on top of the 1:1 nat to invoke reflection. Reflection by default does not work with 1:1 nat's. So your most likely resolving the public IP address which will not forward back across to the 1:1 server.

Spinmaster · Jan 21, 2008, 11:51 AM

Thanks for the quick reply!

I've now set up a set of rules along the lines of:

Interface: LAN
External Address: yyy.yyy.yyy.120
External Port: 80
NAT IP: 192.xxx.xxx.120

This works just right!!!

Thanks for your help!

James.