Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Need some help for doing tricky things with nat

    Scheduled Pinned Locked Moved NAT
    1 Posts 1 Posters 548 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      svenruben
      last edited by

      Hello pfSense users. I need some help to cover the following problem, because of being not really firm with NAT:

      We need to use the fi5000 netbox for connecting the fi6140 scanner to the network. I know there are a lot af network scanners available now, but exact this way is certified for our archiving solution. In the past we had 40 individual virtual Win7 PC's, one for each user. Now we are going to be 80 users, that's why we want to use a terminal server insteed of these individual VM's. The problem is, on the fi5000 netbox I can only configure an individual IP address for each User, the port ist only configurable globaly for the whole box.

      On the dest. PC's there is a trigger app running and listening for connects from the fi5000. So after logging in to the fi5000 by scanning the finger print, the fi5000 connects to the trigger app running on the IP configured for the owner of the finger print. the trigger app then starts the scan app. this scan app connects it's scan driver back to the fi5000 box and starts the scan.

      Scanner –----USB------ fi5000 ------LAN------ pfSense1 ------OpenVPN------ pfSense2 ------LAN------ Terminal Server
                                      (192.168.41.48)          (192.168.41.254)                  (10.168.224.254)                (10.168.224.41)
                                        (Port 10002)                                                                                                          (Port 10020)
                                                                                                                                                                        (Port 10010)

      Config on fi5000:
      User: admin Dest.IP: 10.148.226.120 (dummy IP) Port: 10002 (Port not configurable)
      User: user         Dest.IP: 10.148.226.110 (dummy IP) Port: 10002 (Port not configurable)

      Config on Terminal Server:
      User: admin Trigger App is running on Port: 10020
      User: user         Trigger App is running on Port: 10010

      Config on pfSense1:
      Port Forward NAT:
      IF Proto         Src.ad. Src.po. Dest.addr                 Dest.p. NAT IP NAT Po. Desciption
      LAN TCP/UDP *         *         10.148.226.120 10002 10.168.224.41 10020 Scanner-120
      LAN TCP/UDP *         *         10.148.226.110 10002 10.168.224.41 10010 Scanner-110

      That works fine for the trigger app .. if i login as admin on the fi5000 it finds the trigger app running on terminal server as user admin.

      but if I press the scan button, the trigger app starts the scan app and this app trys to connect back to the fi5000 on IP: 192.168.41.48, Port: 10020, (port like configured in the trigger app), and can't connect.

      two reasons I can see:  - the fi5000 is only listening on port 10002
                                - the fi5000 assumes an incomming connection from 10.148.226.120 port 10002

      so i think, for the way back from terminal server to the fi5000 i need rules that do the following for all traffic from source: interface OpenVPN to dest.IP: 192.168.41.48:

      for user admin:

      • redirect dest.port from 10020 to 10002
      • rewrite the source IP from 10.168.224.41 to 10.148.226.120
      • rewrite the source port from 10020 to 10002

      for user test:

      • redirect dest.port from 10010 to 10002
      • rewrite the source IP from 10.168.224.41 to 10.148.226.110
      • rewrite the source port from 10010 to 10002

      is there anybody out there who can help me with these rules?

      many thanks, i apologize for having nearly no clue with NAT.

      cheers, sven

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.