Outgoing NAT situation.



  • Hello. I have a small situation that I am trying to solve and am running into a bit of a snag. Firstly, let me describe our setup.

    The company who's network I'm working on originally had a sonicwall. I'm replacing this with a pfsense box since the sonicwall is a pile and I've had so much luck with pfsense in the past. When I got here I noticed that they were set up like the following.

    [ISP]
        |
    –----- <demarc<br>    |
    [PFsence]
        |
    [switch]
        |
    [AppSrv]

    There is no Premis equipment from the ISP. The company has two ip address ranges on different subnets going through one connection. The first subnet has one ip address leased from it (we will use 1.1.1.2 as an example) and would normally be what is assigned to the ISP's premis equipment. It is the IP that the wan is configured with. The second subnet (A /29 range we will call 2.2.2.1-5) is routed to the wan ip. (1.1.1.2)

    I currently have nat rules in place for our application server and you can access it from the outside fine and it can access internet resources fine. What I want it to do though is make it also appear as though communication initiated by this application server is coming from the IP 2.2.2.1 instead of 1.1.1.2. I currently have it set up this way from the Sonicwall. This is because half of the communications this server do are initiated by the server itself and the majority of the customers that this server talks to have filewall exceptions created specifically for the ip 2.2.2.1.

    If I can't do this the way it was set up on the sonicwall that is fine and I can have the other customers change their ip exceptions if I must, but I refuse to believe that sonicwall has any kind of one-up on pfsense. :p

    Note: I have a feeling that it has to do with my not using virtual ip objects. I didn't get a chance to try it, but I might try creating a virtual IP(Other) and creating a manual outbound Nat rule…</demarc<br>



  • Just so everyone knows how this was resolved, I just didn't have the proper order to my Manual Outgoing Nat rules.

    I had my outgoing nat rule at the bottom instead of the top. Because of this, the nat rule above it over wrote things. I created alias's for all the ip's I needed to use with nat and then created an outgoing nat rule for the application server that said "anything heading from appsrv0 to any, translate from appsrv0 to wanip2". I then moved it to the top of the outgoing nat rules and voila.

    Hopefully this will help the next guy.