The pfSense Store

Author Topic: 1:1 NAT to VLAN IP or Port Forward?  (Read 3912 times)

0 Members and 1 Guest are viewing this topic.

Offline Technyne

  • Newbie
  • *
  • Posts: 16
  • Karma: +0/-0
    • View Profile
1:1 NAT to VLAN IP or Port Forward?
« on: June 28, 2012, 08:36:40 am »
I think I'm just missing something here, I can't seem to get a secondary IP from our public /28 to NAT to a VLAN IP.

I've tried to create the IP as a VIP, use direct 1:1, use the port forwarding etc...

I have the WAN configured on 50.xxx.xxx.85 /28

I need to port forward or 1:1 the public 50.xxx.xxx.86 to VLAN100 Internal IP 192.168.100.11 for HTTP traffic.

Does anyone have a step by step?

Physical Interface em1 has LAN on it, along with VLANS if that matters.

Thank you in advance for you time!

Offline Metu69salemi

  • Hero Member
  • *****
  • Posts: 1564
  • Karma: +0/-0
    • View Profile
Re: 1:1 NAT to VLAN IP or Port Forward?
« Reply #1 on: June 28, 2012, 11:47:03 am »
as a hint in beginning, you can use aliases to ease out your struggle

Code: (quick how to) [Select]
1. Phase Create Virtual ip: type ip-alias
Goto Firewall:Virtual IPs and press +
Choose IP Alias
Interface: WAN
IP Address: 50.x.x.85 /32
Description: as you like

2. Phase Create Port Forward
Goto Firewall:NAT:Port Forward and press +
Interface: WAN
Protocol: as you need, most likely TCP or TCP/UDP
Destination: 50.x.x.85
Destination port range: http (or if you need http and https you could do port alias, i also added other ports needed as ssh)
Redirect target IP: 192.168.100.11
Redirect target port: 80 or that same alias as earlier
Description: as you like
All the other settings are default

3. Phase Create Manual Outbound NAT
Goto Firewall:NAT:Outbound and choose manual and save after that
Press +
Interface: WAN
Protocol: Any
Source: Type:Network / Address: 192.168.100.11 /32
Source port: Empty
Destination: Any
Translation: 50.x.x.85
port: Empty
Description: as you like

4. Phase Move your just created MON-rule to the first of the list and apply changes

After those, just save everything and apply changes. Remember to reset states
You should be covered, if you do these with aliases, you can change public ip quite, if you doubt that ip is in use or it doesn't work

Offline Technyne

  • Newbie
  • *
  • Posts: 16
  • Karma: +0/-0
    • View Profile
Re: 1:1 NAT to VLAN IP or Port Forward?
« Reply #2 on: June 28, 2012, 01:18:28 pm »
as a hint in beginning, you can use aliases to ease out your struggle

Code: (quick how to) [Select]
1. Phase Create Virtual ip: type ip-alias
Goto Firewall:Virtual IPs and press +
Choose IP Alias
Interface: WAN
IP Address: 50.x.x.85 /32
Description: as you like

2. Phase Create Port Forward
Goto Firewall:NAT:Port Forward and press +
Interface: WAN
Protocol: as you need, most likely TCP or TCP/UDP
Destination: 50.x.x.85
Destination port range: http (or if you need http and https you could do port alias, i also added other ports needed as ssh)
Redirect target IP: 192.168.100.11
Redirect target port: 80 or that same alias as earlier
Description: as you like
All the other settings are default

3. Phase Create Manual Outbound NAT
Goto Firewall:NAT:Outbound and choose manual and save after that
Press +
Interface: WAN
Protocol: Any
Source: Type:Network / Address: 192.168.100.11 /32
Source port: Empty
Destination: Any
Translation: 50.x.x.85
port: Empty
Description: as you like

4. Phase Move your just created MON-rule to the first of the list and apply changes

After those, just save everything and apply changes. Remember to reset states
You should be covered, if you do these with aliases, you can change public ip quite, if you doubt that ip is in use or it doesn't work

I have a question: The .85 IP is already in use on WAN, I'm attempting to use the .86 is this still the correct way to go?

I have done this exactly as shown here for the .86 and reset the state table but still cannot access the machine, I have confirmed I can access the .100.11 from inside.

Thanks,
Davin

Offline Metu69salemi

  • Hero Member
  • *****
  • Posts: 1564
  • Karma: +0/-0
    • View Profile
Re: 1:1 NAT to VLAN IP or Port Forward?
« Reply #3 on: June 28, 2012, 01:58:22 pm »
try with .87 if .86 don't work, your modem might use it.

and it will work with .85 if you don't have any use for http/https addresses on public ip with firewall management or in another system.

Offline Technyne

  • Newbie
  • *
  • Posts: 16
  • Karma: +0/-0
    • View Profile
Re: 1:1 NAT to VLAN IP or Port Forward?
« Reply #4 on: June 28, 2012, 02:14:16 pm »
try with .87 if .86 don't work, your modem might use it.

and it will work with .85 if you don't have any use for http/https addresses on public ip with firewall management or in another system.

Hi,

I am certain .86 is not in use, we have a /28 with .81 as the gateway. For the .85 I have port forwards in use already. The only IPs in use on this block is the .85 and .82, I need to assign forwards for .84 and .86.

Any other options I can try?

Thank you for your help!


Offline Metu69salemi

  • Hero Member
  • *****
  • Posts: 1564
  • Karma: +0/-0
    • View Profile
Re: 1:1 NAT to VLAN IP or Port Forward?
« Reply #5 on: June 28, 2012, 04:36:56 pm »
reboot :D
Can your firewall ping to your server?

Offline Technyne

  • Newbie
  • *
  • Posts: 16
  • Karma: +0/-0
    • View Profile
Re: 1:1 NAT to VLAN IP or Port Forward?
« Reply #6 on: June 29, 2012, 09:40:47 am »
reboot :D
Can your firewall ping to your server?

Rebooted, no change. Can ping from PFSense Ping Tool.

Code: [Select]
Ping output:

PING 192.168.100.11 (192.168.100.11) from 192.168.15.1: 56 data bytes
64 bytes from 192.168.100.11: icmp_seq=0 ttl=128 time=0.331 ms
64 bytes from 192.168.100.11: icmp_seq=1 ttl=128 time=0.226 ms
64 bytes from 192.168.100.11: icmp_seq=2 ttl=128 time=0.223 ms
64 bytes from 192.168.100.11: icmp_seq=3 ttl=128 time=0.233 ms

--- 192.168.100.11 ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.223/0.253/0.331/0.045 ms


Offline Metu69salemi

  • Hero Member
  • *****
  • Posts: 1564
  • Karma: +0/-0
    • View Profile
Re: 1:1 NAT to VLAN IP or Port Forward?
« Reply #7 on: June 29, 2012, 12:29:07 pm »
Then i must raise my hands, i don't know what is the problem. Sorry

Offline madboots

  • Newbie
  • *
  • Posts: 1
  • Karma: +0/-0
    • View Profile
Re: 1:1 NAT to VLAN IP or Port Forward?
« Reply #8 on: July 18, 2012, 03:51:08 pm »
Metu69salemi- Thanks, your instructions helped me out.

Offline Metu69salemi

  • Hero Member
  • *****
  • Posts: 1564
  • Karma: +0/-0
    • View Profile
Re: 1:1 NAT to VLAN IP or Port Forward?
« Reply #9 on: July 18, 2012, 03:54:36 pm »
That's nice to hear.

And what is the OP's situation?

Offline Technyne

  • Newbie
  • *
  • Posts: 16
  • Karma: +0/-0
    • View Profile
Re: 1:1 NAT to VLAN IP or Port Forward?
« Reply #10 on: July 24, 2012, 10:38:32 pm »
Resolved, your instructions were correct. It turned out to be that the server in question did not have the correct gateway assigned. Thanks for your help!