Silvan Michael Gebhardt bio photo

Silvan Michael Gebhardt

Unternehmer, Informatiker, Network Operator

Twitter LinkedIn

if someone is using 1:1 NAT on his pfsense (or m0n0wall) as well, here some tips. Don’t judge the usage of NAT - I only do that if I have to or it’s the best in the situation e.g when I need to work around restrictions. I had to do that today as I was provisioning a VM on the internal Server farm, but needed to make it available outside of the Web-Firewalls due to another service running on it.

I was not clear out of the manual on the Webpage how I need to use it. I have two Subnets: one is private range (LAN) and one is a public range (DMZ)

I have a public IP on the WAN side which is the target IP for the route to the DMZ. Now I wanted to make a VM in the LAN visible in the DMZ, a VM, that I did not want to move over directly (I had no spare Server in the DMZ at the time, and needed to deploy fast)

Create a new IP Alias in pfsense, Interface the DMZ interface, type IP Alias. Then Create on Firewall>NAT>1:1 NAT the Rule, but this time choose the WAN interface. if you choose the DMZ interface here, all u get is traffic to the firewall and not forwarded further.

Then I allowed traffic to the DMZ IP Adress. This was unfortunately not suffcient, and normally with a portforward you would get a normal firewall rule that already works. In this case, you NEED to add a firewall allowing the desired traffic to the INTERNAL LAN IP of the HOST you are trying to make available.

That should be sufficient