Re: [pfSense Support] 1:1 at wits end

Wed, 12 Dec 2007 06:25:01 -0800 

Russ,
It sounds like you're vastly over-thinking this. Setting up a 1:1 NAT is relatively straightforward. 1) Create a VIP (type CARP or type Proxy ARP) this is a VIP attached to your WAN and should reflect a public (see also: routable) IP address that the Internet will use to contact the machine in question. 


2) Create a 1:1 NAT mapping, map the public IP address (your VIP) to the 
private IP address of the machine you're trying to make publicly available.



3) Create firewall rules allowing whatever services you wish to make 
available.  These rules *must* reference the _private_ IP address of the 
machine you're making publicly accessible. 

4) Reload your filter and test.  At this point, traffic should flow. 


-Gary

Russ Bennett wrote:

First, Thanks for everyone's help.


The nat 1:1 I have 
WAN 208.83.93.19/32  10.0.1.14/32


Firewall Rule I have
Proto           Source  Port    Destination     Port    Gateway

TCP             *               *               208.83.93.19    80
(HTTP)  *

I've got six IP addresses 3 of which are used for router and pfsense box
208.83.93.16/29

Do these ip addresses need to be put in as virtual ip's?

Russ


-----Original Message-----

From: Chris Buechler [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, December 11, 2007 5:22 PM

To: [email protected]
Subject: Re: [pfSense Support] 1:1 at wits end

Russ Bennett wrote:

  

Hello,

I've setup a 1:1 nat and entered in the rules.  Nothing was getting
through so I looked at the log and I can see the rule getting hit
properly except within the log I get the following message

The rule that triggered this action is:
@45 block drop in log quick all label "Default block all just to be
sure."

Where do I go to disable this "Default block all just to be sure."

    

Rule?

  

  
    




That's matching the default block all, which means it didn't match any 
of the rules you defined. You can't disable the default deny rule, what 
you need to do is put in a rule that matches the traffic you want to 
permit. For 1:1 NAT, that means a rule on the WAN with the appropriate 
source port (any), source IP/network (whatever you want), destination IP


(the private, internal IP - NAT happens first), and destination port.


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


  



---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]























					Reply via email to