Adding a public IP address to a system behind pfSense using NAT 1:1

In this scenario you have a pfSense “core” router connecting your network to the Internet. You want to assign a public IP address to one of your systems behind the router so it can be accessed from the Internet. But, you still want the pfSense system between the connection so it can act as a firewall.

In the diagram below, which is a mirror of a similar setup I manage, you have a main office connecting to a data center using a 1Gb/s fiber optic connection. From there they can connect to the Internet using a 100Mb/s connection provided by the Data Center. There is a pfSense system at the main office acting as a Proxy server and firewall. There is an additional pfSense system at the data center acting as a NAT router and firewall.

pfsense_network

The pfSense system at the data center, dcvpn01, connects to the internet using a WAN address of x.x.x.x/30. It also has a two LAN connections, one to the main office assigned 192.168.0.1/24, and one at the data center assigned 192.168.10.1/24. The pfSense system at the main office, movpn01, connects to the Internet using NAT from the IP address 192.168.0.2/24. The company also has a y.y.y.y/27 IP address block assigned to them for usage on their servers.

For this example I am going to pretend the y.y.y.y/27 address block is 222.222.222.0/27. I want to assign the address 222.222.222.10/27 to a server on the data center network using the address 192.168.10.100/24. I want to assign the address 222.222.222.11/27 to a server on the main office network using the address 192.168.0.100/24.

So, first I have to create a virtual IP address for each system. Click Firewall -> NAT -> IP Alias and click the + sign to add a new alias. Enter the IP address info and a description and click save. Add the second host using the same process. Then click Apply.

ipalias1

Now we need to setup the 1:1 NAT relationship. This will tell pfSense that anything coming into the system for 222.222.222.10 should be translated to 192.168.10.100, and 222.222.222.11 translated to 192.168.0.100. Click Firewall -> NAT -> 1:1 and click the + sign to add a new 1:1. Enter the new IP address 222.222.222.10 as the external IP, and 192.168.10.100 as the internal IP, enter a description and click save. Add the second host using the same process. Then click Apply.

ipalias2

Now we need to open the appropriate ports on the firewall. In this example I am opening the HTTP port, TCP 80. Click Firewall -> Rules and click the + sign to add a new rule. Enter the destination IP address as 192.168.10.100, select the ports for HTTP, and enter a description and click save. Add the second host using the same process. Then click Apply.

ipalias3

As long as there is no other firewall running on the system, and the address information was correct, you should now be able to access the server 192.168.10.100 using 222.222.222.10, and 192.168.0.100 using 222.222.222.11.

Change other options to suit your own needs.

No comments
Share:

Leave a Reply