Case: Solving problem with NAT
Special NAT configuration with pfSense
1. The problem and solution
We have a WEB server installed on our LAN side.
The IP of this WEB server is hard coded on a software on all PCs.
We must give access from Internet to this server and need to move it on a DMZ.
We physically move the server and give him a new IP address from the DMZ subnet.
And for solve the ‘hard coded’ IP on all our PC software, we ‘simulate’ its presence with NAT.
2. Configuration of pfSense
Step 1 : Creating a Virtual IP
Create the Virtual IP of this server under menu Firewall=> Virtual IP
Add a new Virtual IP with these options :
Type : Proxy ARP (for pfSense response to ARP request to this IP)
Interface : LAN (It’s the interface where is the virtual server)
IP address : 192.168.1.10 (It the virtual IP of this server)
Step 2 : Create the NAT port forward rules
Now we will create a ‘port forward rule’ Firewall => NAT => Port forward Add a new rules with theses options :
Interface : LAN (It’s the interface where your PC came from)
External address : Select the previously created Virtual IP « 192.168.1.10 »
Protocol : TCP
External port range : HTTP (it’s the port used by PC for acces to the web server)
NAT IP : 192.168.2.10 (it’s the real IP address of the server in the DMZ)
Local port : HTTP (it’s the real TCP port where the web server)
Uncheck: Auto-add a firewall rules to permit traffic through this NAT rule (because, by default, all traffic is authorized from LAN interface to DMZ)