Issue with Mapping Public IP to Private IP

cookiemonster · October 20, 2017, 8:35am

I am having a problem in which I cannot Resolve. I have a Public IP /29 Block assigned to WAN 1 of a Peplink 1350, I would like to provide 172.16.1.175 with a Public IP from the /29 Block, when I do a NAT Mapping this works Perfectly however now my Whole Server is Exposed to the Public Internet, if I try doing a Inbound Access Rule and Select the Interface and IP address I would like with the Ports needed this only works for the Inbound Side and not the Outbound Side. If I also Create an Outbound Firewall Rule the Server now takes the IP of the Interface and not one of the IP’s in the /29 Public Block.

I have tried both Inbound Policy and Outbound Policies, the ONLY way this works is if I NAT Map, however if I NAT Map then it defeats the Point of Having a Firewall as now my server is Accessible on the Public Internet

Also for Clarification this is for an IP SIP Trunk which is using IP Auth via a Specific Public IP address, again NAT Mapping works perfectly however with NAT mapping my whole Server is Exposed.

I tried filing a Ticket with [email protected] but they are Hopeless

Tim_S · October 20, 2017, 9:26am

How is it exposed to the public internet if it is behind a NAT of 172.16.1.75?

Can you explain what you mean by this?

cookiemonster · October 20, 2017, 9:50am

The PBX (Server) is 172.16.1.75 and the Peplink is 172.16.1.1 (Gateway)

So the Peplink is the GW for the PBX, the issue I am having is this ONLY works when I use the NAT Mapping Feature, it does not work if I use the Inbound or Outbound Routes

jmjones · October 22, 2017, 5:50pm

If you have a specific need to forward only a subset of ports, 1:1 mapping may not be best. You can do it, but you depend on a host level firewall.

Instead, assign a private address to the host and forward the ports on the interface IP of the WAN that you want. You can then use the inbound firewall rules for the private IP as the destination address. You are basically assigning the public IP as an additional IP on the WAN, then forwarding to the Private IP of the server using port forwarding and Allow firewall rules (with the private IP as the destination for the traffic). You then use DNS (public or private) to direct clients to the resource.

Hope this helps.