I probably am over thinking this...I tend to do that often.
Any how, I believe I am having success 1. I created the VIP with the /29 block I was given. 2. I created the 1:1 208.83.93.19/32 -> 10.0.1.14/32 3. I created the firewall rule Proto Source Port Destination Port Gateway TCP * * 10.0.1.14 80 * 4. In the logs, I get a green that says @41 pass in log quick on bge1 inet proto tcp from any to 10.0.1.14 port=http keep state label "USER_Rule:Web Interface" 5. The web interface does not come up in the browser 6. The web internal ip is pingable from the lan connection of the pf device. So does item 4 above mean that it did validate the rule and I should be seeing the web interface I am testing with? I verified on my other network that the web interface was working and is accessible. The lan connection of the pf is on the same network as this web interface so I shouldn't have to create a static route. I'm stumped. Russ -----Original Message----- From: Gary Buckmaster [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 12, 2007 8:25 AM To: [email protected] Subject: Re: [pfSense Support] 1:1 at wits end Russ, It sounds like you're vastly over-thinking this. Setting up a 1:1 NAT is relatively straightforward. 1) Create a VIP (type CARP or type Proxy ARP) this is a VIP attached to your WAN and should reflect a public (see also: routable) IP address that the Internet will use to contact the machine in question. 2) Create a 1:1 NAT mapping, map the public IP address (your VIP) to the private IP address of the machine you're trying to make publicly available. 3) Create firewall rules allowing whatever services you wish to make available. These rules *must* reference the _private_ IP address of the machine you're making publicly accessible. 4) Reload your filter and test. At this point, traffic should flow. -Gary Russ Bennett wrote: > First, Thanks for everyone's help. > > The nat 1:1 I have > WAN 208.83.93.19/32 10.0.1.14/32 > > Firewall Rule I have > Proto Source Port Destination Port Gateway > > TCP * * 208.83.93.19 80 > (HTTP) * > > I've got six IP addresses 3 of which are used for router and pfsense box > 208.83.93.16/29 > > Do these ip addresses need to be put in as virtual ip's? > > Russ > > > -----Original Message----- > From: Chris Buechler [mailto:[EMAIL PROTECTED] > Sent: Tuesday, December 11, 2007 5:22 PM > To: [email protected] > Subject: Re: [pfSense Support] 1:1 at wits end > > Russ Bennett wrote: > >> Hello, >> >> I've setup a 1:1 nat and entered in the rules. Nothing was getting >> through so I looked at the log and I can see the rule getting hit >> properly except within the log I get the following message >> >> The rule that triggered this action is: >> @45 block drop in log quick all label "Default block all just to be >> sure." >> >> Where do I go to disable this "Default block all just to be sure." >> > Rule? > >> >> > > > That's matching the default block all, which means it didn't match any > of the rules you defined. You can't disable the default deny rule, what > you need to do is put in a rule that matches the traffic you want to > permit. For 1:1 NAT, that means a rule on the WAN with the appropriate > source port (any), source IP/network (whatever you want), destination IP > > (the private, internal IP - NAT happens first), and destination port. > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
