[pfSense-discussion] Virtual IPs, NAT 1:1 - I need help

[Jan Ślusarczyk]

Hi The short background. My Cisco Pix has died last Thursday. We suspect a hardware problem with Flash memory but before we will be able to run it again we have to use a temporary solution to protect our collocated servers. The network. We have two physical servers but they both operate multiple ips. Until now we had assigned our 8 public ips to outside pix interface and forwarded the requests to appropriate private IPs. This worked like 1:1 NAT. For example public address XXX.XXX.XXX.190 ports 22,25,80,113 were forwarded to respective ports on 192.168.6.190 interface for one of the servers. I don’t have a separate subnet – I am assigned 8 ips out of a 255.255.255.128 subnet… Other IPs belong to other collocated servers. One tricky part is an IpSec tunnel configured for one of the services we provide. This is the reason I’m trying to use pfSense and not IpCop I have been using for my home ADSL network. But this is not the main problem for now. During the weekend I have set up a test machine on my home network to create a configuration I could install tomorrow on a production pfSense firewall machine. And I can’t get it to run as I want it to… Test configuration. My test firewall is running the following config: WAN – static 192.168.1.48 (my home network is 192.168.1.1/24). LAN static 192.168.6.254. On LAN side I connected a test server and assigned it 192.168.6.55 address. It connects to the internet fine. I have unchecked the option to block reserved IPs on WAN Inteface (my “outside” world is for now 192.168.1.1/24). I am trying to access port 80 of 192.168.6.55 from 192.168.1.1/24 network. What I tried. ·         I have added 192.168.1.55 -> 192.168.6.55 1:1 NAT and firewall rules to allow ICMP and port 80 to 192.168.1.55. No reply from ping to 192.168.1.55. ·         I have added 192.168.1.55/32 as Virtual IP. No change. ·         I have tried to ping 192.168.1.55 on pfsense machine – no reply. ·         Ifconfig doesn’t show 192.168.1.55 anywhere…   What am I doing wrong? Do I have to assign aliases to network interface (Like eth0:1 on linux?)? How?   Thanks Jan Slusarczyk