Firewall (nat) -> pfsense-FW -> local computers (How do i forward ports?)

kallegr

Hello,

we´ve got a Fortinet-Firewall with 3 Interfaces (WAN, LAN, DMZ). there are portforwardings from WAN to LAN!!!

WAN (Internet)
(((Fortinet)))  DMZ (192.168.1.1)
LAN (10.10.10.1) 
  |
local computers/fileserver (10.10.10.x/24)

yet on LAN (10.10.10.1) are normal computers and some (file-server, sql-server)

now, we would like to implement pfsense with captive-portal between lan on fortinet-firewall and local computers.

new configuration should look a bit like this:

WAN
(((Fortinet))) DMZ (192.168.1.1) –- DMZ (192.168.1.x/24)
LAN
  |
WAN
(((pfsense)))
LAN (10.10.10.1)
  |
local computers (10.10.10.x/24)

some conditions:
1. Fortinet will stay
2. Bridging WAN/LAN-Ports on pfSense is no option, as transparent proxy won´t work with that
3. subnet of lan (10.10.10.x) could not be changed

• how can i do the portforwarding from WAN to LAN(10.10.10.x), if there is a new pfsense between fortinet and local computers.
• local computers from (10.10.10.x) should be able to get the DMZ (192.168.1.x) - i think this will work with routing...

main problem is: how do i forward ports from WAN (fortinet) to LAN (10.10.10.x) behind pfsense firewall…

thank you

kallegr

Derelict

@kallegr:

Hello,

we´ve got a Fortinet-Firewall with 3 Interfaces (WAN, LAN, DMZ). there are portforwardings from WAN to LAN!!!

WAN (Internet)
(((Fortinet)))  DMZ (192.168.1.1)
LAN (10.10.10.1) 
  |
local computers/fileserver (10.10.10.x/24)

yet on LAN (10.10.10.1) are normal computers and some (file-server, sql-server)

now, we would like to implement pfsense with captive-portal between lan on fortinet-firewall and local computers.

new configuration should look a bit like this:

WAN
(((Fortinet))) DMZ (192.168.1.1) –- DMZ (192.168.1.x/24)
LAN
  |
WAN
(((pfsense)))
LAN (10.10.10.1)
  |
local computers (10.10.10.x/24)

some conditions:
1. Fortinet will stay
2. Bridging WAN/LAN-Ports on pfSense is no option, as transparent proxy won´t work with that
3. subnet of lan (10.10.10.x) could not be changed

• how can i do the portforwarding from WAN to LAN(10.10.10.x), if there is a new pfsense between fortinet and local computers.

That's a question for fortinet since that's where NAT is going to have to happen between fortinet WAN and 10.10.10.X

• local computers from (10.10.10.x) should be able to get the DMZ (192.168.1.x) - i think this will work with routing…

main problem is: how do i forward ports from WAN (fortinet) to LAN (10.10.10.x) behind pfsense firewall…

Fortinet problem.  You should just disable NAT on pfSense and tell your fortinet to route 10.10.10.X to whatever pfSense's WAN address is on LAN.  I know exactly what NAT rules and routes you would need on pfSense.  Fortinet, not so much.  Sorry.

And I'm not sure you're using the term portforwarding correctly.  port forwarding usually implies inbound connections on WAN forwarded to private hosts.  Doing that to captive portal-bound hosts that might or might not have an active captive portal entry sounds like a total cluster.

kallegr

Thank you!