Is 1:1 NAT good for my setup…plz a lil hlp im newbie
-
I have 2 interfaces rl0=LAN and rl1=WAN
ISP gave me this :IP 193.111.222.110
Netmask 255.255.255.252 / 30
Gateway 193.111.222.109
DNS 193.111.111.1, 193.111.111.2
Subnet 212.111.222.224/27
LAN 192.168.1.0/24After readin a while the forums and documentation i decided to follow this setup :
Firewall NAT 1:1 NAT
WAN 212.111.222.225/32 192.168.1.201/32 pc1
WAN 212.111.222.226/32 192.168.1.202/32 pc2
WAN 212.111.222.227/32 192.168.1.203/32 pc3
…...
WAN 212.111.222.252/32 192.168.1.228/32 pc28Firewall Rules LAN Allow * LAN net * * * * Default LAN -> any
Setup for lan machines are like pc1 IP 192.168.1.201 Gateway 192.168.1.254
I have used until now floppyfw, small linux distribution that fitted on floppy :d, and worked fine with
snat, dnat and still working fine but i need some traffic shaping and found pfsense to be easy and nice.As i read in forums 1:1 NAT should be applied only if you dont have an subnet of public ips, but i just dont get it how to do it, the examples i read were very complicated and this should be an simple task.
Any help would be appreciated, thx
-
Hi
I belive what you need is VIP's set up as CARP's, well thats how I've done my setup and it works fine.
I used these posts as guides
[snip…]
Add virtual IPs for all your additional IPs (I suggest using CARP, this way you can add another machine for failover later easily)
- Add 1:1 NATs between the virtual IPs and your internal IPs
- Add firewallrules to allow traffic (destination is your internal IP as nat is applied first and firewallrules are matched after natting)
[…snip]
Credits to Hoba
http://forum.pfsense.org/index.php/topic,1787.0.html
http://forum.pfsense.org/index.php/topic,1833.0.html
or just browse the Carp section of the forum for more tips
-
You may be making it more complex than you have to. You don't really NEED VIPs and 1-1 NAT unless you are hosting a bunch of services on the pc's. Port-forwards work fine for a few services like remote access to the box, a public webserver, etc. You should be able to run pfSense on a pretty much default install (after changing your WAN to static). If you don't need to run public services on the pc's, you could even leave them DHCP. If you want to use some of the /27 ip's, I would just add them as proxy-arp or CARP VIPS and create port-forwards using them as needed.
-
dotdash is right…
And furthermore using 1:1 is a major leak in security even for linux users!
If you're dividing services throug diferent machines there is no problem in using nat and only one port will be exposed. -
1:1 NAT won't automatically open everything to the public unless you create such firewallrules.
-
As hoba said, 1:1 NAT is not a security issue unless you want to make it one. If you have as many IP's as internal servers, it's usually preferable to use 1:1 NAT over port forwarding.
