How do I set up NAT on a second gateway router which isn't a default gateway?

Posted on 2013-01-23
Medium Priority
Last Modified: 2014-03-17
Here is my current setup
| Router 1 |---|
|----------|   |     |-----|   |--------|
               +-----| Lan |---| Server |
               |     |-----|   |--------|
|----------|   |
| Router 2 |---|

Open in new window

I want to be able to send traffic from the internet coming in on Router 2's public IP to the Server's private IP.
Router 2 is a pfSense router, Router 1 is a simple iptables router. I have set up NAT Port Forwarding on Router 2, but the server is trying to respond to the request via Router 1 because Router 1 is the default router.

How do I hide the IP address that is coming in from the internet so the server will respond through Router 2?
Question by:OAC Technology
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
LVL 10

Expert Comment

ID: 38812451
I don't think NAT is a viable option in your scenario; but perhaps you applied NAT at the wrong place?; you should be creating a NAT rule on R2's inside interface. The problem with this is that this will undoubtedly affect other systems using Router2.

I'd suggest looking at the server's routing table and perhaps making the modifications there if possible.

How many interfaces does your server have?

Author Comment

by:OAC Technology
ID: 38814608
My server has one interface, and both routers are on the same subnet, and can the server can access both routers. When someone connects I see it show up in netstat on the server, but since the server attempts to respond to their public IP it goes through the wrong router. Is there a way to make pfSense dynamically keep track of connections and hide the public IP of requesters so the server responds directly to the router?
LVL 10

Accepted Solution

ddiazp earned 2000 total points
ID: 38816895
How about this?:

Go to "firewall --> NAT --> inbound".
Enable manual inbound rule generation.
Create a new rule with:

Interface: WAN/LAN, Source: any, Source-port: any, Destination: Server, Destination-port: service_on_server_or_any, translation: interface address.
CHALLENGE LAB: Troubleshooting Connectivity Issues

Goal: Fix the connectivity issue in the lab's AWS environment so that you can SSH into the provided EC2 instance.  


Author Comment

by:OAC Technology
ID: 38818773
Thanks ddiazp, I tried that but it doesn't seem to actually be translating. Here's what iptstate returns.

                              IPTables - State Top
Version: 1.4          Sort: SrcIP           s to change sorting
Filters:   Source: <my public ip>
Source                  Destination             Proto   State        TTL
<my public ip>:20415       <server private ip>:22            tcp     SYN_RECV       0:00:53

Open in new window

LVL 10

Expert Comment

ID: 38819584
Can you run wireshark or tcpdump, etc. on the server and try to see how this request looks like?

What does pfctl -s nat show?

or Diagnose->States?

Author Comment

by:OAC Technology
ID: 38836699
The server is receiving the request just fine, but it sees the public ip of the requester, and then due to its routing table, it tries getting sent back out using the other router, but because that's on a different IP address, the requester doesn't listen to the response.

Featured Post

Get real performance insights from real users

Key features:
- Total Pages Views and Load times
- Top Pages Viewed and Load Times
- Real Time Site Page Build Performance
- Users’ Browser and Platform Performance
- Geographic User Breakdown
- And more

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Short answer to this question: there is no effective WiFi manager in iOS devices as seen in Windows WiFi or Macbook OSx WiFi management, but this article will try and provide some amicable solutions to better suite your needs.
This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question