Redirecting local traffic
-
I am returning to pfSense, and have installed 2.2.6 Release. I was able to do this on a much older version but I cannot figure it out in the new UI.
I have my local network assigned static IP addresses 192.168.100.* and what I need to do is to be able to setup a "fantom" local IP Address that is actually redirected through the firewall and to a public IP Address when my local computers access it.
so as an example if 192.168.100.10 tries to FTP to 192.168.100.100 I need the firewall to actually connect to 8.8.8.8 and have this transparent to the local user…
I need to do this on a handful of port for a short period...
-
I may be wrong, but my initial reaction is, Local traffic by definition won't pass through pfSense so you can't do that.
The first slight variation I can think of would be to split your LAN into two pieces of 192.168.100.0/25 and 192.168.100.128/25.
That way you can create a second interface to handle the "upper" 192.168.100.128/25 portion and "hide" your special servers at addresses from .128 to .255
You could even change LAN to 192.168.100.0/26 and create three other 192.168.100.x/26 subnets (.64,.128,.192) if you have some addresses you can't move.You'll have to set the rules to allow traffic as you want and you'll be routing ALL traffic between the "lower" and "upper" subnets through pfSense which could be a bottleneck for your network. But if it's only temporary, it might be worth a try.
-
The second option of splitting my network won't work, we have too many IP Addresses assigned to make that possible…
In the older versions, you could basically handle it like NAT, and I was able to make it work. I don't recall off the top of my head every step, but I know I was able to make it work in the past
-
There may be a way, but the basic issue is "how" can I watch traffic/route/etc traffic when pfSense doesn't need to be involved in the send/recv through your network switch?
If the server's at .100 and my PC's at .10 the switch doesn't need to (and won't) send anything to .1 (pfSense) to handle my PC's request.
The only other way that can work is if you make your requests to the server via a FQDN that is "dummy" routed through DNS.
You make up a server name like "fred.locspace" in DNS and point it to a server @192.168.100.100.
Then you have at least a possibility of adding routing rules to a request to ftp://fred.locspace. -
If the server's at .100 and my PC's at .10 the switch doesn't need to (and won't) send anything to .1 (pfSense) to handle my PC's request.
You can direct the traffic to .1 using Proxy ARP VIP .100 on the LAN of pfSense
-
That should work. Then do a port forward on LAN on destination .100 to the NAT address and port.
-
I can see VIP and the desired server on the subnet are different addresses VIP .110 -> "real" .100
But I can't see how you can make it work if they're supposed to be the same VIP .100 -> "real" .100 for certain ports, which I think was the original question.
After rereading the OP, I see this is indeed what he was probably after, the "Fantom" IP is a Virtual IP under "Firewall>Virtual IPs".