1

I have a root server at hetzner, where I got the following setup:

Main IP (VMWare box): 78.xxx.xxx.107 WAN IP (PFSense WAN interface): 78.xxx.xxx.121 Subnet 5.xxx.xxx.144/29

Current setup of PFSense is the following:

Interfaces: WAN - 78.xxx.xxx.121 PUBLAN - 5.xxx.xxx.145 NATLAN - 5.xxx.xxx.148

Under the PUBLAN interface, I have 4 VM's connected and working. Each VM is accessible through xxx.146, xxx.147, xxx.149, xxx.150 When those VM's are communicating with machines on Internet, they are seen with the IP of the WAN interface. This is acceptable, but I would prefer if I could have 1:1 NAT here, so that I assign for example 5.xxx.xxx.147 to one vm, it is seen with that IP as well as accessible on that IP. (Hope you understand what I mean here)

Under the NATLAN interface, I have additional 4 VM's connected. However, these are port forwarded. I got 2 development windows VM's here, so when I RDP to 5.xxx.xxx.147:3389, I come to 192.168.56.2. When I RDP to 5.xxx.xxx.147:3390, I come to the machine on 192.168.56.3

Now, yesterday, I ordered another /29 subnet. I now also have 5.xxx.xxx.16/29

For this, I added a new vSwitch in VMWare, and a new interface on the PFSense box. I named this interface PUBLAN2. I added the same outbound NAT here as on PUBLAN (except for source and nat address ofcourse).

Interface -> WAN Source -> 5.xxx.xxx.16/29 Source port -> * Destination -> * Destination port -> * NAT Address -> WAN address NAT port -> * Static port -> Randomize source port

Interface -> WAN Source -> 5.xxx.xxx.16/29 Source port -> * Destination -> * Destination port -> 500 NAT Address -> WAN address NAT port -> * Static port -> Keep source port static

in the firewall rules, I added the following: WAN -> Allow IPv4 * from any source and port to 5.xxx.xxx.18 on any port using any GW PUBLAN2 -> Allow any protocol from any source to any destination

(These rules will be more restricted one I get things to work the way I want them to work).

However, I don't get it to work properly... First of all, as with VM's on PUBLAN, I want 5.xxx.xxx.18 to be seen as 5.xxx.xxx.18 as well as be accessible at 5.xxx.xxx.18. (is this 1:1 NAT?)

Also, the way that I configured it, the VM 5.xxx.xxx.18 is able to connect to internet (I can ping google and I can connect over http etc). The VM can also access any machine that is behind the PFSense box, and any other machine on the other interfaces (NATLAN and PUBLAN) can access the VM on 5.xxx.xxx.18.

However, any machines on the other side of the WAN interface (my home PC for example), can not connect to 5.xxx.xxx.18.

I have tried the past 24 hours to figure this out to no avail. Can somebody please help me find the solution(s) I need to get this to work?

Thank you!

/Rickard

Rickard
  • 145
  • 1
  • 7
  • 1
    I have tried to do a packet capture, and it seems that trafick is flowing to the WAN interface atleast. According to my FW rules, it should be allowed to pass. So question is now, could it be a routing problem? How do I make sure that PFSense is routing packets with destination 5.xxx.xxx.18 to the PUBLAN2 interface?) Do I need to add a static route or something? – Rickard Jan 03 '17 at 21:07
  • 1
    No one at all who would be able to help? – Rickard Jan 04 '17 at 07:14

0 Answers0