[prev in list] [next in list] [prev in thread] [next in thread] 

List:       pfsense-support
Subject:    Re: [pfSense Support] 1:1 NAT - bind actual external IP to an
From:       Chris Buechler <cmb () pfsense ! org>
Date:       2009-12-31 19:19:33
Message-ID: d64aa1760912311119r3374aaefy5c031bbc55366 () mail ! gmail ! com
[Download RAW message or body]

On Thu, Dec 31, 2009 at 9:52 AM, Karl Fife <karlfife@gmail.com> wrote:
> Like many, I use 1:1 NAT to give one of my public IP address to an internal
> host.  This works great for certain applicatons where the host (such as
> Asterisk) is 'smart' and can be made aware of the fact that the IP address
> bound to its own network interface differs from the one the outside world
> sees and should direct traffic to.  In the case of Asterisk which must know
> its external IP to properly write SDP headers, Asterisk will look to
> the configured external IP address instead of the one it actually sees bound
> to its own NIC.  No problems!
>
> The problem arises when you've got a 'dumber' host that needs to function
> EXACTLY like it has an actual external IP address, but where the traffic
> needs to flow through pfSense (for shaping, policies, IDS/IPS).  I sometimes
> also wish that certain hosts with external addresses NOT have an internal
> address in the event that they become compromised/rooted etc.
>
> Naturally It would be ideal to bind the external IP address directly to an
> optional interface.   My understanding (possibly wrong) is that this was not
> possible (at least) with embedded 1.2-release.   Has anything changed in the
> 1.2.1 or .2 or .3 release that would make this possible?

That's always been possible. Exactly how depends on how many public
IPs you have. Nathan's suggestion will work where you want it on your
LAN, though that violates the "NOT have an internal address" noted
above. You can either add a public IP subnet on an OPT interface, or
bridge OPT to WAN.

---------------------------------------------------------------------
To unsubscribe, e-mail: support-unsubscribe@pfsense.com
For additional commands, e-mail: support-help@pfsense.com

Commercial support available - https://portal.pfsense.org


[prev in list] [next in list] [prev in thread] [next in thread]