How do I assign a public IP to a machine behind a pfSense box using 1:1 NAT?
This should be dead simple but for the life of me, I can't get it working. I must be doing something stupid.
I have a PFsense server with a public IP address. Behind it is three LAN segments:
[ Internet ] <---> [ pfSense]
+----- 192.168.1.1/24 ---> (multiple servers)
+----- 192.168.2.1/24 ---> (multiple servers)
+----- 172.16.1.1/24 ---> (multiple machines)
I have a new server with address 192.168.1.31
behind the pfSense server, and I want to give it a public IP. I assumed I would do this with a 1:1 NAT, but no matter what I ahve tried, it's not working. Here's what I did:
- In pfSense, I added a Virtual IP to the WAN interface with the new public IP I wanted. The first time, I used an "IP Alias" type.
- I added a 1:1 NAT rule with the new public IP as the external subnet, and
192.168.1.31/32
as the internal subnet. - I added a firewall rule on the WAN interface, protocol TCP, destination
192.168.1.31/32
, port rangeHTTP
-HTTP
. I did the same for another port in the 4000s where I wanted to run SSH.
After doing all of the above, I could not reach the new IP via HTTP, nor could I SSH into the new machine on the alternate SSH port I chose.
I changed the virtual IP to "Proxy ARP" and then to "Other", but neither of those worked either...
Oddly enough, I can SSH to the new IP on port 22, if I run the SSH server on 192.168.1.31:22
. But I can't get to any other ports.
What am I doing wrong here?
Solution 1:
If you haven't looked at the wiki, that's a good place to start:
- NAT 1:1 Re-direction
- Virtual IP Aliases
I'm pretty sure you had it right the first time. You need to set up an IP alias on your public facing interface. The IP address you choose for this alias will of course need to be legitimately routable (your ISP should have given you some publicly accessible IPs).
Can you get command line access and edit your post to include the entirety of your pf rules (pfctl -s rules)?