Solving problem with NAT

Case: Solving problem with NAT

Special NAT configuration with pfSense

1. The problem and solution

We have a WEB server installed on our LAN side. The IP of this WEB server is hard coded on a software on all PCs.
We must give access from Internet to this server and need to move it on a DMZ.
We physically move the server and give him a new IP address from the DMZ subnet.
And for solve the ‘hard coded’ IP on all our PC software, we ‘simulate’ its presence with NAT.

2. Configuration of pfSense

Step 1 : Creating a Virtual IP

Create the Virtual IP of this server under menu Firewall=> Virtual IP Add a new Virtual IP with these options :

• Type : Proxy ARP (for pfSense response to ARP request to this IP)
• Interface : LAN (It’s the interface where is the virtual server)
• IP address : 192.168.1.10 (It the virtual IP of this server)

Step 2 : Create the NAT port forward rules

Now we will create a ‘port forward rule’ Firewall => NAT => Port forward Add a new rules with theses options :

• Interface : LAN (It’s the interface where your PC came from)
• External address : Select the previously created Virtual IP « 192.168.1.10 »
• Protocol : TCP
• External port range : HTTP (it’s the port used by PC for acces to the web server)
• NAT IP : 192.168.2.10 (it’s the real IP address of the server in the DMZ)
• Local port : HTTP (it’s the real TCP port where the web server)
• Uncheck: Auto-add a firewall rules to permit traffic through this NAT rule (because, by default, all traffic is authorized from LAN interface to DMZ)