Virtual IP and Outbound NAT

idmax

Hello all,

i want please you for help with small NAT issue. My pfsense have one WAN Interface IP and more Virtual IPs. For Virtual IPs i using NAT 1:1 to internal network. For example Interface IP is 82.82.82.100 and virtual IPs 82.82.82.101-105. Server with mapped virtual IP .101 look from internet as .101, this is corect. My question is, is possible (over outbound nat) server 101 for specific (selected) internet IPs or ports look as IP 82.82.82.100? Or is impossible from rules TCP/IP?

Thank you
idmax

GruensFroeschli

Yes this is possible.

idmax

Nice and how setup outbound rule please?

@GruensFroeschli:

Yes this is possible.

GruensFroeschli

firewall –> NAT --> "outbound"
enable "Manual Outbound NAT"

Create rules according to your needs.
In the field "translation" you can set the VIP.

idmax

Yes, i was setup rule:

Interface: WAN
Source: 10.0.0.101 (internal IP of the server with public virtual ip 82.82.82.101) mask /32
Dastination: 72.14.207.99 (example google site where i look as IP 82.82.82.100) mask /32
Translation: "Interfaces address", port empty
Description: test

and not working, it is wrong?

Thanks

@GruensFroeschli:

firewall –> NAT --> "outbound"
enable "Manual Outbound NAT"

Create rules according to your needs.
In the field "translation" you can set the VIP.

GruensFroeschli

In the field "translation" you can set the VIP.

You need to create a VIP first.

idmax

Yes, but i want map outbound traffic from server .101 to interface ip (real WAN IP), in this case 82.82.82.100

@GruensFroeschli:

In the field "translation" you can set the VIP.

You need to create a VIP first.

GruensFroeschli

Ah you mean you want that the 1:1 NATed server gets NAT outbound via the main WAN?

That's not possible.
The concept of 1:1 NAT is that you NAT bidirectional all ports.

But you can achieve that with normal NAT.

1: delete the 1:1 NAT entry.
2: Create a normal NAT entry with a port-range from 1 to 65535 to your server and as "external address" your VIP.

idmax

Yes, exactly, thank you very much for your help.

@GruensFroeschli:

Ah you mean you want that the 1:1 NATed server gets NAT outbound via the main WAN?

That's not possible.
The concept of 1:1 NAT is that you NAT bidirectional all ports.

But you can achieve that with normal NAT.

1: delete the 1:1 NAT entry.
2: Create a normal NAT entry with a port-range from 1 to 65535 to your server and as "external address" your VIP.

GruensFroeschli

Sorry i was under the impression that you want to NAT the other clients besides thet 1:1 NATed server over the VIP too.

But why are you using 1:1 NAT in the first place?
IMO 1:1 NAT is bad.
If you have to forward many many single ports, just create an alias which contains all your ports and use this alias in the normal NAT rule.

idmax

@GruensFroeschli:

Sorry i was under the impression that you want to NAT the other clients besides thet 1:1 NATed server over the VIP too.

But why are you using 1:1 NAT in the first place?
IMO 1:1 NAT is bad.
If you have to forward many many single ports, just create an alias which contains all your ports and use this alias in the normal NAT rule.

For my is 1:1 better for administration and same security risk as port nat.

Example:If i want open port for new service, then:

1:1NAT - Open only firewall
PORTFW - Open firewall and setup portworward (edit alias)

This is my idea….

GruensFroeschli

You can use aliases in the firewall rules as well as in the NAT rules.

Meaning if you need to add/forward new ports you just have to change the alias and nothing else.

But i disagree that 1:1 NAT is more secure.
If anything then it's less "secure" because you forward everything per default and only the firewall blocks connection attempts which are unallowed.

idmax

Good idea :) use same aliases for firewall and nat, thanks. In this case is better use portforward.

No more secure, but same as PortForward i think. Both is protected over firewall,. Only if fail firewall then can by more security issue use 1:1.