Generally, the best way to handle something like this is to actually give the host the public IP, and avoid NAT altogether.
However, sometimes, that's not an option, and so you can use the following to trick the host into working as expected. (Note that 192.0.2.x documentation IPs are used - these represent the public IPs) ISP's Gateway: 192.0.2.1/24 Firewall WAN IP: 192.0.2.10/24 Server WAN IP: 192.0.2.11/24 Firewall's LAN IP: 10.0.0.1/24 Server's LAN IP: 10.0.0.11/24 Server's LAN IP #2: 192.0.2.11/32 (note the mask!) ProxyARP on WAN for 192.0.2.11 Static route on firewall to 192.0.2.11 through 10.0.0.11 on LAN What you're doing is telling the public switch (via ARP) that the firewall's MAC address has 192.0.2.11; therefore, the switch will send that MAC the traffic. The firewall then says "that's not me - but I know how where it needs to go, and I'm a router, so I'll take care of that for you". It forwards the traffic to the internal LAN IP of the server, who says "Ah, that IP belongs to me, I'll route it internally to myself and accept it." Bingo Presto - the public IP address is now bound to your internal server, and you can address the daemon, which will be listening on that public IP. Best Regards, Nathan Eisenberg From: Karl Fife [mailto:[email protected]] Sent: Thursday, December 31, 2009 6:52 AM To: [email protected] Subject: [pfSense Support] 1:1 NAT - bind actual external IP to an optional interface? Like many, I use 1:1 NAT to give one of my public IP address to an internal host. This works great for certain applicatons where the host (such as Asterisk) is 'smart' and can be made aware of the fact that the IP address bound to its own network interface differs from the one the outside world sees and should direct traffic to. In the case of Asterisk which must know its external IP to properly write SDP headers, Asterisk will look to the configured external IP address instead of the one it actually sees bound to its own NIC. No problems! The problem arises when you've got a 'dumber' host that needs to function EXACTLY like it has an actual external IP address, but where the traffic needs to flow through pfSense (for shaping, policies, IDS/IPS). I sometimes also wish that certain hosts with external addresses NOT have an internal address in the event that they become compromised/rooted etc. Naturally It would be ideal to bind the external IP address directly to an optional interface. My understanding (possibly wrong) is that this was not possible (at least) with embedded 1.2-release. Has anything changed in the 1.2.1 or .2 or .3 release that would make this possible? What about in the 2.0 beta? If I can make this work (or some creative variant of it) it will prevent me from needing to buy a number of juniper routers. Feedback very much appreciated! -Karl
