Case: Solving problem with NAT

Special NAT configuration with pfSense

1. The problem and solution

We have a WEB server installed on our LAN side.

The IP of this WEB server is hard coded on a software on all PCs.

We must give access from Internet to this server and need to move it on a DMZ.

We physically move the server and give him a new IP address from the DMZ subnet.

And for solve the ‘hard coded’ IP on all our PC software, we ‘simulate’ its presence with NAT.

pfSense NAT problem

2. Configuration of pfSense

Step 1 : Creating a Virtual IP

Create the Virtual IP of this server under menu Firewall=> Virtual IP

Add a new Virtual IP with these options :

    • Type : Proxy ARP (for pfSense response to ARP request to this IP)

    • Interface : LAN (It’s the interface where is the virtual server)

    • IP address : (It the virtual IP of this server)

pfSense NAT Virtual IP

Step 2 : Create the NAT port forward rules

Now we will create a ‘port forward rule’ Firewall => NAT => Port forward Add a new rules with theses options :

    • Interface : LAN (It’s the interface where your PC came from)

    • External address : Select the previously created Virtual IP « »

    • Protocol : TCP

    • External port range : HTTP (it’s the port used by PC for acces to the web server)

    • NAT IP : (it’s the real IP address of the server in the DMZ)

    • Local port : HTTP (it’s the real TCP port where the web server)

    • Uncheck: Auto-add a firewall rules to permit traffic through this NAT rule (because, by default, all traffic is authorized from LAN interface to DMZ)

pfSense NAT rules