[pfSense] creating a 1:1 NAT WAN to DMZ
Chris Buechler
cmb at pfsense.org
Wed Feb 15 21:16:15 EST 2012
On Wed, Feb 15, 2012 at 8:57 PM, Jason T. Slack-Moehrle
<slackmoehrle at gmail.com> wrote:
> HI Yehuda;
>
>> On Wed, Feb 15, 2012 at 8:04 PM, Jason T. Slack-Moehrle <slackmoehrle at gmail.com (mailto:slackmoehrle at gmail.com)> wrote:
>> > Hi All,
>> >
>> > My struggle continues.
>> >
>> > So basically:
>> > 1. I have 5 IP's from Comcast in a /29.
>> > 2. I want my firewall assigned 75.149.xx.25 but want it to answer for my entire /29.
>> > 3. Create a 1:1 NAT for each public IP except .25. (so .26, .27, .28, .29, etc)
>> > 4. Open Port 80 (and a few others) to .27 (the only IP I am using as of today)
>> >
>> > Here are screen shots of what I have so far:
>> >
>> > http://6colors.net/1-to-1_nat.png
>> > http://6colors.net/alias_list.png
>> >
>> >
>> > http://6colors.net/interfaces.png
>> >
>> >
>> > http://6colors.net/outbound_nat.png
>> >
>> >
>> > http://6colors.net/virtual_ips.png
>> >
>> >
>> > http://6colors.net/wan_rules.png
>> >
>> >
>> >
>> > Can anyone shed some light on what is going on? I just cannot simply get to the server after doing this.
>> >
>> We had a similar issue on Verizon. We allowed all ICMP PINGas through the firewall and tried to ping each address. The primary (assigned to the pfsense) responded and the others did not. It seems that the pfSense was not properly picking up the ARP requests unless is was the primary IP. (We did some other testing by connecting a computer to act as a packet sniffer in between the NOC and the pfSense. We never got around to figuring out why it did not work, since we found a workaround.)
>> We "solved" the problem by setting the primary interface IP to each of our IPs in turn and pinged it and then fixing the Virtual IP configuration.
>> We only had to do that once and it has run fine ever since.
>
> I dont follow what this means exactly and how to test this on my setup to see if it solves my problem.
>
It means use IP aliases instead of proxy ARP VIPs. In some
circumstances, with some upstream ISP equipment, proxy ARP is
inadequate but IP aliases work fine. At times that's because only IP
aliases force the upstream ARP cache to wake up and update (though
usually it requires a time out) and the IPs were previously used on
something else.
More information about the List
mailing list