On Tue, Mar 31, 2009 at 12:52 AM, Kipton Moravec <[email protected]> wrote: >> Does it matter if the two systems that need public IPs have >> (1:1/Server) NAT in front of them? > > Yes. But I also want to block services that they should not be > supporting.
I assume you meant that it doesn't matter if there is inbound NAT in front of the systems. You can filter 1:1 NAT but if you don't need "full exposure" you are probably better off configuring individual inbound NAT on a port-by-port basis. > I meant more of case of multiple computers that only need to get out, > and do not need to be accesses from the Internet. My terminology is not > up to speed yet. Ahh, outbound NAT only, by default pfSense will do that for you. > If I specify the WAN interface as x.x.x.208 /29 > Then my firewall Card sees all 8 addresses. x.x.x.208 to x.x.x.215 > > My PFSense Firewall is x.x.x.209 > > Then my firewall rules can specify what to do in the specific cases of > x.x.x.209 > x.x.x.210 > x.x.x.211 > x.x.x.212 > x.x.x.213 > > Is that how it works? No. If your IP block was x.x.x.208/29 you set your modem/router up as x.x.x.209, WAN interface on the firewall is x.x.x.210/29, then setup Proxy ARP virtual IP addresses on WAN for the other IPs in the network that you're interested in (note in the case of VIPs the IPs should be set as x.x.x.211/32, x.x.x.212/32 and so on). Proxy ARP basically means that pfSense will respond to ARP requests for the configured VIPs as well as its configured WAN interface address, hence it will see the traffic on them, then you can configure inbound NAT on the VIP to pass the appropriate port(s) through to the appropriate internal IP address (with the appropriate firewall rules). If you need real time assistance with the setup the IRC channel is generally pretty good for relatively simple stuff like this. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] Commercial support available - https://portal.pfsense.org
