Case: Solving problem with NAT

Special NAT configuration with pfSense

1. The problem and solution

We have a WEB server installed on our LAN side.

The IP of this WEB server is hard coded on a software on all PCs.

We must give access from Internet to this server and need to move it on a DMZ.

We physically move the server and give him a new IP address from the DMZ subnet.

And for solve the ‘hard coded’ IP on all our PC software, we ‘simulate’ its presence with NAT.

2. Configuration of pfSense

Step 1 : Creating a Virtual IP

Create the Virtual IP of this server under menu Firewall=> Virtual IP

Add a new Virtual IP with these options :

• • Type : Proxy ARP (for pfSense response to ARP request to this IP)

  • Interface : LAN (It’s the interface where is the virtual server)

  • IP address : 192.168.1.10 (It the virtual IP of this server)

Step 2 : Create the NAT port forward rules

Now we will create a ‘port forward rule’ Firewall => NAT => Port forward Add a new rules with theses options :

• • Interface : LAN (It’s the interface where your PC came from)

  • External address : Select the previously created Virtual IP « 192.168.1.10 »

  • Protocol : TCP

  • External port range : HTTP (it’s the port used by PC for acces to the web server)

  • NAT IP : 192.168.2.10 (it’s the real IP address of the server in the DMZ)

  • Local port : HTTP (it’s the real TCP port where the web server)

  • Uncheck: Auto-add a firewall rules to permit traffic through this NAT rule (because, by default, all traffic is authorized from LAN interface to DMZ)