Firewall – use the pfSense WAN IP as public IP for 1:1 NAT? What about port forwarding

firewallnat;pfsenseport-forwarding

I have a dual pfSense configuration with CARP. Both WAN interfaces are assigned consecutive WAN IP .150, .151. I think it is silly that pfSense would require them both to have these dedicated IP so I was wondering if it is possible that I could use 1:1 NAT and add their IP as Virtual (CARP) IP in the system. So:

pf0 - WAN IP .150
pf1 - WAN IP .151
CARP IP0 - .150
CARP IP1 - .151
1:1 NAT Entry .150 <-> 10.1.1.150
1:1 NAT Entry .151 <-> 10.1.1.151

If this is not possible, can I at least forward certain requests to certain ports (HTTP/S) @ .150, .151 to appropriate servers?

Port forward .150:80,443 <-> 10.1.1.150:80,443
Port forward .151:80,443 <-> 10.1.1.151:80,443

Best Answer

Generally speaking, No.

The IP "foot" for carp monitoring/communication is only present on ONE machine (the box it's assigned to). By definition it is not a redundant IP, and it shouldn't really be used for serving other traffic.

Take the following scenario as an example:

You configure port 80 on .150 (primary FW) and .151 (backup FW) to forward somewhere.
The primary FW fails.
- Now all traffic going to .150 is hitting a dead IP (your service on .150 is down).
The primary FW comes back and the secondary FW fails.
- Now the traffic going to .150 works again, but all the traffic to .151 is hitting a dead IP.

Related Solutions

iptables – Basic NAT Port Forwarding with iptables

   PC ----- Ubuntu 10 Server ----- Slashdot 
(1.2.3.4)      (5.6.7.8)        (216.34.181.45)

Enable the IP forwarding on Ubuntu:

echo 1 > /proc/sys/net/ipv4/ip_forward

and add the following rules:

iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 8080 -j DNAT \
                                       --to-destination 216.34.181.45:80 
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 5.6.7.8

No.
You should use MASQUERADE if the Ubuntu has a dynamic IP:
```
iptables -t nat -A POSTROUTING -j MASQUERADE
```

You can also use SSH local port forwarding in this case by executing the below command on the Ubuntu:

$ ssh -L 5.6.7.8:8080:216.34.181.45:80 -N user@216.34.181.45

There's still another (or more) way to do this. Take a look at the rinetd:

Name       : rinetd
Arch       : i386
Version    : 0.62
Release    : 6.el5.art
Size       : 41 k
Repo       : installed
Summary    : TCP redirection server
URL        : http://www.boutell.com/rinetd
License    : GPL
Description: rinetd is a daemon which redirects TCP connections from one IP address
           : and port to another IP address and port. This daemon is often used to
           : access services behind a firewall.

The configuration is very simple. Add the belows line into /etc/rinetd.conf:

5.6.7.8 8080 216.34.181.45 80

and start:

# /etc/init.d/rinetd start
Starting rinetd:                                           [  OK  ]

It will do everything for you.

Virtualized pfSense 2.0.1 affecting Hyper-V host connectivity? arp

Did you checked the Event Viewer on the W2008R2 ?

Could be due to max TCP connections allowed by Windows: https://technet.microsoft.com/en-us/library/cc759700%28WS.10%29.aspx

pfSense as a software router uses lots of connections which can be opened but not closed, waiting status and so on. This kind of network use can achieve the default limits of TCP stack and windows could close or not allow more connections of this type. The first thing to do on this case it's to check Event Viewer to see if something it's reported there.

Best Answer

Related Solutions

iptables – Basic NAT Port Forwarding with iptables

Virtualized pfSense 2.0.1 affecting Hyper-V host connectivity? arp

Related Topic