Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    1:1 NAT order only allows 1 external IP to one internal IP, and its the top one in the order ONLY

    Scheduled Pinned Locked Moved
    NAT
    2
    2
    21
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      CubedRoot
      last edited by

      I am having a really strange issue with doing a 1:1 NAT. I was running this same exact setup on an older version of pfSense (2.6.9.I think?). I have a /28 of public IPV4, and on my older pfsense box, I was able to do a 1:1 NAT for 2 of those public IPs, to a single host (172.17.0.50) in my internal network. It worked great.

      I did a clean deploy on new hardware and I install 2.7.2 on that new box. I setup everything the same. I setup the Virtual IP's like this:
      pfsense - Firewall Virtual IPs 2025-01-07 at 2.21.05 AM.jpg

      I was using two of those IP's (ending in .171 and .172) as a 1:1 NAT to a single internal host at 172.17.0.50.

      So, I have my 1:1 NAT setup like this:
      pfsense - Firewall NAT 11 2025-01-07 at 2.23.37 AM.jpg

      Notice that the .172 is at the very top. To test I use an external port checker, and sure enough, when I check for an open port (80 and 443) using the public IP ending in .172 it worked great. BUT, .171 would NOT work. (like this)

      Here's where it gets really weird. If I swap the order of those two in the 1:1 NAT config, putting .171 on top and .172 below it, I can see the port using the .171 but NOT the .172 which was working.

      So it appears I can ONLY NAT a single external IP address to a single internal IP address, and the first one in the ordering is the only one that will work. I can swap their order around, save the changes and sure enough, whichever is first in the order works, while the other does NOT.

      Is this the expected behavior now? Am I doing something wrong? How can I set this up so that I can 1:1 NAT BOTH of my public IP's into a single host regardless of the orderig on the config page?

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @CubedRoot
        last edited by

        @CubedRoot
        1:1 NAT of multiple IPs to a single backend IP cannot work at all.
        1:1 means, that packets addressed to the external IP are forwarded to the internal IP AND outbound traffic from the internal IP is natted to the stated external IP.
        While the first part might be possible, the second cannot be done. Which external IP should be used for outbound traffic of the single internal? The first, the second, both alternating?

        You should rather configure port forwarding rules for both external IP.

        If you also want to use these IPs for outbound traffic from the server set up an outbound NAT rule for it.
        You can translate it to one of them or to both alternating by adding both to an alias and use it as translation address in round-robin mode.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.